Alan DeKok wrote:
Kee Hinckley <nazgul(_at_)somewhere(_dot_)com> wrote:
I know of at least one ISP (and I'm sure there are others) that do
this. He blocks based on bounces. As soon as he blocks an IP,
another one starts sending him the spam. This goes on for thousands
of IPs.
I spent a few days last year blocking IP's based on bounces. It
went as follows:
<block 100's of IP's>
<wait 10 minutes>
<repeat>
No end in sight,
I seriously wonder if there isn't some rather sophisticated
distributed server spam software running out there on rooted servers,
and we just haven't figured it out yet.
That would fit the data I'm seeing.
Both the analysis I've done on your spamtrap, and the analysis I've done
on ours, would indicate that you don't need to go to these lengths to
"fit the data".
The simpler answer is "Millions CDs and LOTS of open proxies/relays".
I've generally not seen IPs _notice_ that we're rejecting email. It's
simply that certain spam variants are sent from literally thousands of
different IPs. Ie: debt consolidation, viagra, HGH.
Some of this is certainly orchestrated from central points (eg: Ralsky's
operations), but I don't see anything to indicate that even Ralsky makes
use of the rejection information to "drive" his forwarders differentially.
Of course, 10,000 clueless small-scale spammers would also fit the
data, but I think that's less likely.
A few Millions CD/open proxy/socks ratware owners would explain it too.
Spot checks of both your and our data showed a high correlation between
source IPs and IPs already blacklisted by BOPM, Monkeys, OSIRUS
proxy/socks et al.
Note also that if they're using open relays, with the usual forged MAIL
FROM (which is a pretty high percentage of spam), the spammer _CANNOT_
see the rejects or bounces.
However, I have seen reports of stealth spamware trojans from ISP abuse
desks. This is where somehow a piece of software got installed onto a
user's machine, that instead of listening for inbound connects (like an
open proxy), periodically calls _out_ to the spammer, and retrieves
instructions on what to do. No details or forensics seen yet.
These are truly nasty, because you can't scan for them.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg