ArticlePDF Available

Abstract and Figures

Brute force techniques used in many fields of authentication process. Ftp servers, web servers and mail servers very often got threatened by attackers. Old technique for mail service brute force still working and it can be easily detected by special signature. Main sources of attacks were detected and separated by countries and time of the day. Bursts of attacks detected depending on weekdays. Copyright © 2016 Institute of Advanced Engineering and Science. All rights reserved.
Content may be subject to copyright.
International Journal of Electrical and Computer Engineering (IJECE)
Vol. 6, No. 4, August 2016, pp. 1681~1684
ISSN: 2088-8708, DOI: 10.11591/ijece.v6i4.10320 1681
Journal homepage:
Analysis of Brute Force Attacks with Ylmf-pc Signature
Anton Valeryevich Arzhakov, Dmitry Sergeevich Silnov
Department of Information Systems and Technologies, National Research Nuclear University MEPhI (Moscow
Engineering Physics Institute), Moscow, Russia
Article Info ABSTRACT
Article history:
Received Jan 18, 2016
Revised Mar 14, 2016
Accepted Mar 29, 2016
Brute force techniques used in many fields of authentication process. Ftp
servers, web servers and mail servers very often got threatened by attackers.
Old technique for mail service brute force still working and it can be easily
detected by special signature. Main sources of attacks were detected and
separated by countries and time of the day. Bursts of attacks detected
depending on weekdays.
Brute force
Mail spam
Ylmf-pc Copyright © 2016 Institute of Advanced Engineering and Science.
All rights reserved.
Corresponding Author:
Dmitry Sergeevich Silnov,
Department of Information Systems and Technologies,
National Research Nuclear University MEPhI (Moscow Engineering Physics Institute),
Kashirskoe sh. 31, Moscow, Russian Federation.
In today’s world, information security has become a very crucial issue like never before. With
unauthorized access to certain services, an attacker can cause significant financial damage to the victim. Any
modern information resource [1],[2] may be subject to attack. So, the various seemingly minor attacks should
not be overlooked. Such attacks include brute force attack with Ylmf-pc signature [3] against a mail server.
With time, many mail server owners are faced with a situation where the server log file (an example
is shown in Figure 1 is filled with lots of records about attempts to connect to the server from the user ylmf-
As can be seen in the Figure 1, the server blocks connection from ylmf-pc, which sends wrong smtp
ehlo/helo command [4]. Ylmf-pc is the name used during authentication on the server. Upon receipt of this
command, the server checks whether the name sent matches with the IP address from where the command
came, and if they don’t match, then it is most likely that person is an unscrupulous user. The server
terminates or doesn’t terminate such connection depending on the server settings. The attack is aimed at
obtaining the authentication password of an e-mail server via a brute force attack. If authentication is
successful, the attacker gains access to the mail server account from where spam will be subsequently sent. It
is widely believed that servers, whose security was breached using ylmf-pc queries, are one of the largest
Cutwail/Pushdo botnets [5]. However, there is no reliable information that the attacking computers or
compromised computers are part of this botnet [6].
ISSN: 2088-8708
IJECE Vol. 6, No. 4, August 2016 : 1681 – 1684
Figure 1. An example of the log-file
As can be seen from Figure 2, there is no cyclic pattern of queries, but it should be noted that
activity peaks on weekends. At the same time, it should be remembered that the time of the attacker and not
of the victim should be taken into account. These observations coincide with the patterns derived in [7]. On
weekdays, when servers are busy sending out spam emails, less resources are allocated to the botnet for its
hacking attempts on new servers. But during weekends when the spam effectiveness falls, the servers deploy
the bonnet to expand.
Figure 2. Activity query from ylmf-pc
There are various IP addresses from which ylmf-pc brute-force attack is carried out. Therefore,
blocking connections by IP address will not fetch the proper result. Since IP addresses rarely change country,
one can see which countries have the highest activity of ylmf-pc queries. Collected statistics showed that IP
addresses from the United States, the Netherlands and France account for over half of the queries. The full
picture of the percentage distribution of the number of queries from different countries is shown in Figure 3.
The statistics was gathered over 100 days. A total of 192,858 queries from clients with ylmf-pc
signature were recorded. The top 5 countries that sent the highest number of queries are presented in the
Table 1.
IJECE ISSN: 2088-8708
Analysis of Brute Force Attacks with Ylmf-pc Signature (Anton Valeryevich Arzhakov)
Figure 3. Distribution of queries by country
Table 1. Statistical results of attacker ip addresses
IP address (country of location) Number of queries (percentage of
the total number of queries) 43,895 (22%) 15,926 (8%) 8,155 (4%) 7,237 (3%) 6,413 (3%)
There were 599 unique IP addresses from which attacks were made. There was an average of
1928.58 queries, and about 80 queries per hour. That is, an average of 1.3 queries per minute. Daytime
queries (9:00 to 21:00) account for 59%, while night queries (21:00 to 09:00) take up the remaining 41%. At
the same time, this distribution for each country does not match. Figure 4 shows the distribution for the top 3
countries by number of queries and averaged statistics.
Figure 4. Distribution of queries (day/night)
There are several approaches when it comes to protecting against this type of attack. One option is
to block an IP address after several unsuccessful helo/ehlo authentication attempts. With this approach, you
must not forget that connection attempts originate from multiple, dynamically allocated IP addresses, and that
a blocked address may, after some time, be given to an innocent user. So the optimum ban duration should be
chosen. Another option is to interrupt the query session while in the helo/ehlo query field of the ylmf-pc
ISSN: 2088-8708
IJECE Vol. 6, No. 4, August 2016 : 1681 – 1684
signature. This option is more preferable because the server, in this case, doesn’t process the query, but rather
gives a response that the query is incorrect, and immediately terminates the connection, thereby not
informing the attacker about whether the data (username and password) sent by him were correct or not.
Before establishing a connection, you may also want to check whether the IP address is in the list of infected
IP addresses, for example, fail2ban. Another way to protect against this type of attack is to reconfigure the
mail server to another port –ylmf-pc executes attack on standard SMTP port. More and more various ways of
protection have been emerging over time, and they are moving from one area of use to another [8].
To summarize it all, it should be noted that despite the seeming harmlessness of ylmf-pc queries,
loss of control over a mail server account, for example, an educational system [9] or even any functioning
mail server, can lead to tragic consequences: your server will become part of the botnet due to sending of
various kinds of spam from it [10] and later the IP address will be included by services in the list of spam
addresses (DNSBL).
The issue of password guessing is massive in nature. Despite the simplicity of this attack and
methods of protection against it, ylmf-pc brute-force attack appears to be producing results, as this attack has
been used for over five years now. This implies that its use has been successful on some servers. During the
period under review, the top IP addresses in terms of number of attack attempts are IP addresses from the
Netherlands and the United States. Both countries shared the first position with 44,000 ylmf-pc queries each
(23% of the total).
[1] D. Devjatykh, et al., “Sleep Apnea Detection Based on Dynamic Neural Networks,” Communications in Computer
and Information Science, vol. 466, pp. 556-567, 2014.
[2] O. G. Berestneva, et al., “Multidimensional medical data visualization methods based on generalized graphic
images,” World Applied Sciences Journal, vol/issue: 24(24), pp. 18-23, 2013.
[3] Sullivan B., “Preventing a Brute Force or Dictionary Attack: How to Keep the Brutes Away from your Loot,” 2007.
http://h71028. www7. hp. com/ERC/cache/568358-0-0-0-121. html/ (accessed on 21 February 2010).
[4] Klensin J., “RFC 5321—Simple mail transfer protocol (SMTP),” RFC 5321, 2008.
[5] Decker A., et al., “Pushdo/cutwail botnet,” 2009.
[6] Zhuang L., et al., “Characterizing Botnets from Email Spam Records,” LEET, pp. Т. 8. – С. 1-9, 2008.
[7] D. S. Silnov, “An Analysis of Modern Approaches to the Delivery of Unwanted Emails (Spam),” Indian Journal of
Science and Technology, vol/issue: 9(4), 2016. DOI: 10.17485/ijst/2016/v9i4/84803.
[8] Belashenkova N. N., et al., “Protection Methods of Assessment Procedures Used in e-Learning,” 13th International
Conference on Emerging eLearning Technologies and Applications, pp. 27-32, 2015.
Undergraduate at Department of Information Systems and Technologies, National Research
Nuclear University MEPhI (Moscow Engineering Physics Institute). Doing researches in the
field of information secutiry.
Assosiated Professor at Department of Information Systems and Technologies, National
Research Nuclear University MEPhI (Moscow Engineering Physics Institute). Doing researches
in the field of information secutiry.
... This will need an extra efforts for maintaining and updating these lists by botnet controllers. Simple solution suggested by [5] is to reconfigure default mail server port to another port number. Botnet generated spam can be delivered directly to the Mail MX server of the recipient's domain as depicted in Figure 7. From the analysis of the network traffic, the anomalous behaviour of DNS requesting the MX standard query shows irregularity. ...
Full-text available
span>Developments in computer networking have raised concerns of the associated Botnets threat to the Internet security. Botnet is an inter-connected computers or nodes that infected with malicious software and being controlled as a group without any permission of the computer’s owner. This paper explores how network traffic characterising can be used for identification of botnet at local networks. To analyse the characteristic, behaviour or pattern of the botnet in the network traffic, a proper network analysing tools is needed. Several network analysis tools available today are used for the analysis process of the network traffic. In the analysis phase, the botnet detection strategy based on the signature and DNS anomaly approach are selected to identify the behaviour and the characteristic of the botnet. In anomaly approach most of the behavioural and characteristic identification of the botnet is done by comparing between the normal and anomalous traffic. The main focus of the network analysis is studied on UDP protocol network traffic. Based on the analysis of the network traffic, the following anomalies are identified, anomalous DNS packet request, the NetBIOS attack, anomalous DNS MX query, DNS amplification attack and UDP flood attack. This study, identify significant Botnet characteristic in local network traffic for UDP network as additional approach for Botnet detection mechanism.</span
... The objectives of the fiscal policy are to increase labor intensity, carry out structural reforms, and ensure social stability. In addition, the role of fiscal policy to support economic growth is also enhanced, including an increase in the share of expenditures that have the greatest economic effect for economic growth and social development (Arzhakov & Silnov, 2016), the formation of a "development budge"" that will ensure the solution of priority tasks, increase the share of expenditures for education, science and infrastructure, qualitative improvement of the work of social sectors. ...
Full-text available
One of the most important documents regulating the economic life of society is the state budget, which is perceived as the most important law of economic activity. The budget is necessary for each state to meet its objective monetary needs serving the fulfillment of economic, social and political functions. The fiscal policy in Russia is always at the center of public attention, which is conditioned both by the place it occupies among the main tools of economic policy, and by the very sharp criticism that it is regularly subjected to by various authorities, the public, political movements, independent experts, international organizations, and mass media. This is not surprising, since it is precisely in fiscal policy that the interests of various social groups are most vividly manifested and most harshly encountered. The fiscal policy of the state is the development and implementation of approaches to the formation of the main sources of revenue, the determination of priorities in the financing of public spending and the management of the budget deficit. The main goal of the financial and budgetary policy is to ensure conditions for sustainable economic growth based on increasing the effectiveness of state participation in redistribution of financial resources in the economy. The purpose of this article is to analyze the peculiarities of the financial and budgetary policy of Russia at the present stage of its development.
... The existing territorial-spatial state economic space has caused a significant differentiation of the regions of the state in terms of the level and nature of social and economic development. The progressive experience of successfully developing territories shows that their competitiveness on a national scale is largely based on the subjects of entrepreneurship consolidated on the territorial basis (Arzhakov & Silnov, 2016). ...
Full-text available
The formation of new approaches to economic growth that will unite scientific, educational and production potentials, as well as lead to an increase in the competitiveness of enterprises, the region, the economy of the nation in general, both research and educational organizations, will have a further multiplier effect on the formation of an economy processes of a new order. This trend in the formation of modern approaches, and their successful implementation will result in the transition of the Russian economy to an economy of innovative type, more adjusted to relevant world trends and markets. The urgency of implementing cluster approaches in the development of the economy on the basis of innovative territorial clusters is dictated by the need to ensure a balanced and sustainable development of the domestic economic system through the promotion of innovation in individual territories. Such actively formed territories can now become clusters. In the modern world, clusters, with their completely different policy of realizing their activities, displaying the newest forms and competitiveness, become springboards' that help launch territories into the economy of the future. Today, the competitiveness of the economy of the region and the state depends not only on technical achievements or inventions, but also on organizational changes that contribute to the achievement by them of high commercial results, as well as on marketing innovations in the promotion and implementation of cluster policies.
Full-text available
The security of message information has drawn more attention nowadays, so; cryptography has been used extensively. This research aims to generate secured cipher keys from retina information to increase the level of security. The proposed technique utilizes cryptography based on retina information. The main contribution is the original procedure used to generate three types of keys in one system from the retina vessel's end position and improve the technique of three systems, each with one key. The distances between the center of the diagonals of the retina image and the retina vessel's end (diagonal center-end (DCE)) represent the first key. The distances between the center of the radius of the retina and the retina vessel's end (radius center-end (RCE)) represent the second key. While the diagonal-radius center and the retina vessel's end (diagonal-radius center-end (DRCE)) represent the third key. The results illustrate the process's validity and applicability. Also, improve the time required to decrypt the cipher-text by a brute force attack (BFA) from (4.358e+139) year in the compared technique to (1.3074e+140) year for retina3. The BFA time will increase with increasing the number of retina vessels, as in retina1, 2, and 3, which have 24, 53, and 103 retina vessels. Keywords: Cryptography Diagonal center-end key Diagonal-radius center-end key Radius center-end key Retina feature extraction Retina information This is an open access article under the CC BY-SA license.
Conference Paper
This article observes the possibility of protection network resources from malicious attacks using traps that simulate SSH service. There are overviewed main types of attacks, analyzed existing software solutions, its basic working principles and opportunities for further improvement. In addition, there is described author's solution, which can increase the attractiveness of SSH honeypot working under Ubuntu OS.
Conference Paper
The article considers one of the most demonstrative graphical methods of quality evaluation of pseudorandom numbers generators. Existing approaches to improve this method are described. The method, which allows increasing of the amount of useful information obtained through testing, is presented. Results of increase in productivity of the test using hybrid computing technologies are considered.
Conference Paper
This article observes main issues of wireless Wi-Fi network cyber security. There is described a way to obtain data about Wi-Fi network access points located in central district of Moscow. Information obtained through scanning is processed. There is also analyzed security against unauthorized access to data transferred via wireless communication and protection from number of attacks related to access points. Network access zones with signs of vulnerability are illustrated on Moscow maps.
Full-text available
We develop new techniques to map botnet membership using traces of spam email. To group bots into botnets we look for multiple bots participating in the same spam email campaign. We have applied our technique against a trace of spam email from Hotmail Web mail services. In this trace, we have successfully identified hundreds of botnets. We present new findings about botnet sizes and behavior while also confirming other researcher's observations derived by different methods [1, 15].
Background: A new way of spam sending was discovered. Old spam techniques not effective now, spammers find new ways. Analysis: The analysis shows that spammers find new ways to bypass very efficient tools to catch spam like DNSBL, SPF and some others. Findings: New discovered approach uses cheap domain names and cheap hosting services to imitate legal mail servers. Conclusion: New anti-spam tools needed to fight against new spam sending wave.
The work devoted to the problem of analysis and interpretation of multi-dimensional medical data based on the generalized graphic images. The existing methods and approaches, including those proposed by the authors were considered. The main problem of data visualization is the problem of obtaining a visual image that is uniquely relevant to the data set. The authors propose an approach that allows to perform visualization of the major linear structures: segment, polyline, simplex in multidimensional spaces. Presentation of multivariate observations in a two-dimensional image (the curve) ensures that to the close by the values observation will correspond visually similar image-curves; for very different by the values observations its image-curves will be noticeably different. The results of applying this approach to the problems of practical medicine were proposed: analysis of the pregnant women physiological state dynamics, identifying hidden patterns in the structure of the physiological parameters for patients with various forms of asthma.
Conference Paper
One of widespread breath disruption that takes place during sleep is apnea, during this anomaly people are not able to get enough oxygen. The article describes method for breathing analyses that is based on neural network that allows recognition of breath patterns and predicting anomalies that may occur. Class of machine learning algorithms includes lots of models, widespread feed forward networks are able to solve task of classification, but are not quite suitable for processing time-series data. The paper describes results of teaching and testing several types of dynamic or recurrent networks: NARX, Elman, distributed and focused time delay.
To understand and then combat a brute force attack, also known as a dictionary attack, we must start by understanding why it might be an appealing tool for a hacker. To a hacker, anything that must be kept under lock and key is probably worth stealing. If your Web site (or a portion of it) requires a user to login and be authenticated, then the odds are good that a hacker has tried to break into it. In terms of processing power, it is expensive for a Web site to require authentication, so it is usually only required when the site stores valuable private information. Corporate intranet sites can contain confidential data such as project plans and customer lists. E-commerce sites often store users' email addresses and credit card numbers. Bypassing or evading authentication in order to steal this data is clearly high on a hacker's priority list, and today's hackers have a large library of authentication evasion techniques at their disposal. Session hijacking attacks such as Cross-site Scripting can steal a user's authentication token and transmit it to a malicious third party, who can then use it to impersonate the legitimate user. SQL injection attacks can also be very effective at bypassing authentication. By sending a specially-formatted username and password combination containing SQL code to the login form, an attacker can often trick the server into granting him unauthorized access. These types of attacks get a lot of attention since they are creative, elegant, and effective. However, there is another type of attack that can be just as effective, if not as elegant or creative. A brute force attack (or dictionary attack) can still be a dangerous threat to your Web site unless proper precautions are taken. The brute force attack is about as uncomplicated and low-tech as Web application hacking gets. The attacker simply guesses username and password combinations until he finds one that works. It may seem like a brute force or dictionary attack is unlikely to ever succeed. After all, what are the odds of someone randomly guessing a valid username and password combination? Surprisingly, the odds for a brute force attack can be quite good if the site is not properly configured. There are several factors that work to the hacker's advantage, the most important of which is human laziness.
Pushdo/cutwail botnet
  • A Decker
Decker A., et al., "Pushdo/cutwail botnet," 2009.