[Dshield] Mail bombing by MyDoom, bouncing of infected emails, and a few other random thoughts

Doug White doug at clickdoug.com
Sun Feb 1 17:34:57 GMT 2004



:
: On Jan 29, 2004, at 8:53 AM, Jon R. Kibler wrote:
:
: > Greetings:
: >
: > Wow! MyDoom has created a real mess... : >
: > Anyway, two real reasons for writing about MyDoom mail bombing:
: >   1) Question: Has anyone else seen similar behavior -- meaning large
: > connection bursts?
: >   2) Pass on some advice on how you can protect yourself from such
: > high connection rates.
:

For the past week I have had a similar problem, and noticed that 95% of them
show about 20 source IP numbers.   I have temporarily added these to my Access
file  1.2.3.4  REJECT and the mail server is dropping the connection from the
offending IP numbers.  The immediate result I noticed was a real reduction in
CPU load on the  server  and legitimate mail is being delivered in a more timely
basis.

I don't know why the SANS meter is still showing condition green, when most
people I have talked to are experiencing server load factors well into the red
category.



======================================
Stop spam on your domain, Anti-spam solutions
http://www.clickdoug.com/mailfilter.cfm
For hosting solutions http://www.clickdoug.com
======================================
Aspire to Inspire before you Retire or Expire!




More information about the list mailing list