[Dshield] Spammers discover the SQL Slammer concepts works - UDP 1026 spam traffic up

Johannes Ullrich jullrich at euclidian.com
Tue Sep 16 11:52:17 GMT 2003

Popup spam always used UDP. However, so far it used port 135. However,
after MS Blaster, a lot of ISPs blocked port 135. As a result, the
spam is now sent over the higher port 1026, which works as well.

A lot of this popup spam appears to be sent from spoofed IPs. I get a
lot of it with a source port of 666.

On Tue, 2003-09-16 at 07:33, Blake McNeill wrote:
> I did some research tonight and wrote a new utility (PortPuker) to investigate the increase of Spam traffic on UDP port 1026 and it would appear that spammers have discovered what gave SQL Slammer killer performance can also give them killer performance.  They are now using single packet to a single UDP port (just like SQL Slammer) to crank their delivery rates through the roof and hence the increase in traffic on UDP port 1026.
> See http://www.LinkLogger.com/portpuker.htm
> NOTE we also released a new version of our popular free PortPeeker utility available at http://www.linklogger.com/portpeeker.htm
> Its now time for some much needed sleep.
> Thanks
> Blake McNeill
> http://www.SonicLogger.com - Logging Software for SonicWall
> http://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net

More information about the list mailing list