On Mon, Jun 30, 2003 at 05:18:12PM -0400, Barry Shein wrote:
Ok ok, fair enough, but there is something so low-intensity about
zombie spambots that it seems to have gone on for months with people
only noticing the result. That makes it different.
Agreed ;-)
However I notice in my logs (emails to non-existant users) that there
are patterns, where spammers concentrate on one account. I see within
a 30 second timeframe connections from about 10-50 different hosts where
they try to double inject messages to one user.
I have also seen similar behaviour with kinda dictionary spams where
they always have 5-10 hosts in parallel work on a subset of usernames
e.g. aa*(_at_)domain to ae*(_at_)domain
af*(_at_)domain to al*(_at_)domain
[ ... ]
and a total of some 100 hosts per day. If the spammer didn't "fine tune"
the process and there are 40-50 hosts in parallel it qualifies for a DDoS,
IMHO.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg