On Sun, 9 Jan 2005 13:55:08 +1100, Chris Drake wrote:
I'm just wondering if it's a hacker targeting me, or a virus hitting
everyone - someone's using "broken" MTAs to "bounce" millions of
emails at all my servers for the last month or so.
You are probably just unlucky that you have been randomly
toejobed on a big set of spam runs, though it isn't unknown for
spammers to use the domains of those that complain to their
suppliers. This was one of the reasons for spamcop mega-munging
spam reports, since ISPs were forwarding the reports to the
spammers, or the spammer were maintaining the abuse addresses.
For an interesting article on DOS by NDR have a look at this:
http://www.techzoom.net/paper-mailbomb.asp
I have personally noted a few patterns in spam technique from
some of the systems (Clearswift Mailsweeper) I have support
responsibility for, which are unable to check the recipient at
the gateway pre data, and the supplier considers it not to be
important in an anti-spam product:
Use of invalid addresses which look like family names listed
genealogy sites. I think these have been used to make spam CD's
(you know the sort, 4 billion genuine address for $20), I think
this because there are a few valid addresses mixed in the same
runs, in a different format.
Variation on the above, probably due to a problem with data
extraction from the email database is the first few (varies)
characters of the above names are missing, eg brown(_at_)example(_dot_)com
becomes own(_at_)example(_dot_)com
Lot of invalid addresses starting with a, which are obviously
invalid.
I now have fairly effective filters and database for the above,
so the reduce the processing overhead on the effected system,
and so it does not NDR bomb the forged recipients.
These systems experience between 10,000 and 20,000 of these
false recipients, with a peak of over 50,000
However the (forged) from addresses of this spam do not seem to
be picking on any domain in particular, though a small
percentage of the domains are invalid, so can be rejected pre
data.
Karl Prince
______________________________________________________________
Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk)