spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Is anyone else getting DoS'd by relay attacks?

2005-01-09 07:40:07
from [Karl Prince] [Permanent Link] 
On Sun, 9 Jan 2005 13:55:08 +1100, Chris Drake wrote:


I'm just wondering if it's a hacker targeting me, or a virus hitting
everyone - someone's using "broken" MTAs to "bounce" millions of
emails at all my servers for the last month or so.


You are probably just unlucky that you have been randomly 
toejobed on a big set of spam runs, though it isn't unknown for 
spammers to use the domains of those that complain to their 
suppliers. This was one of the reasons for spamcop mega-munging 
spam reports, since ISPs were forwarding the reports to the 
spammers, or the spammer were maintaining the abuse addresses.

For an interesting article on DOS by NDR have a look at this:
http://www.techzoom.net/paper-mailbomb.asp

I have personally noted a few patterns in spam technique from 
some of the systems (Clearswift Mailsweeper) I have support 
responsibility for, which are unable to check the recipient at 
the gateway pre data, and the supplier considers it not to be 
important in an anti-spam product:

Use of invalid addresses which look like family names listed 
genealogy sites. I think these have been used to make spam CD's 
(you know the sort, 4 billion genuine address for $20), I think 
this because there are a few valid addresses mixed in the same 
runs, in a different format.

Variation on the above, probably due to a problem with data 
extraction from the email database is the first few (varies) 
characters of the above names are missing, eg brown(_at_)example(_dot_)com 
becomes own(_at_)example(_dot_)com

Lot of invalid addresses starting with a, which are obviously 
invalid.

I now have fairly effective filters and database for the above, 
so the reduce the processing overhead on the effected system, 
and so it does not NDR bomb the forged recipients.

These systems experience between 10,000 and 20,000 of these 
false recipients, with a peak of over 50,000

However the (forged) from addresses of this spam do not seem to 
be picking on any domain in particular, though a small 
percentage of the domains are invalid, so can be rejected pre 
data.

Karl Prince


______________________________________________________________
Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Is anyone else getting DoS'd by relay attacks?, Julian Mehnle
Next by Date:  Re: Is anyone else getting DoS'd by relay attacks?, Theo Schlossnagle
Previous by Thread:  Re: Is anyone else getting DoS'd by relay attacks?, Nico Kadel-Garcia
Next by Thread:  RE: Is anyone else getting DoS'd by relay attacks?, Kaas Baichtal
Indexes:  [Date] [Thread] [Top] [All Lists]