[Dshield] Heavy spamming vs DoS?

Chris Phillips ChrisPhillips at LGonQn.ORG
Thu Feb 9 14:38:45 GMT 2006


Lately  (since the new year) I've been hit with extremely 
heavy spammer loads. Seems like a different pattern than 
the normal spamming I've been accustomed to before, which 
was basically an attempt to deliver email. (This is a 
small site with virtually no reason to be a target but...).

Heres the pattern from last night 
(2nd col is hex ip addr for sort convenience):

% ~/bin/NSinceAcc "Feb  8 22" | sort
    1 3dfbcd3b 61.251.205.59                                  UNKNOWN Feb 9 00:01:45 
    1 44b9fb24 68.185.251.36   68-185-251-36.dhcp.leds.al.charter.com Feb 9 00:01:47 
    1 534e772b 83.78.119.43              43.119.78.83.cust.bluewin.ch Feb 9 02:20:42 
    1 5560536e 85.96.83.110         dsl.dynamic859683110.ttnet.net.tr Feb 9 04:41:47 
    1 5701be57 87.1.190.87        host87-190.pool871.interbusiness.it Feb 9 00:01:35 
    1 cbc6a27c 203.198.162.124             ipvpn073124.netvigator.com Feb 9 00:01:29 
    1 dccb332d 220.203.51.45                                  UNKNOWN Feb 9 00:01:53 
    2 54abb889 84.171.184.137           p54ABB889.dip0.t-ipconnect.de Feb 8 23:48:38 Feb 8 23:48:39
    2 567f2a84 86.127.42.132      86-127-42-132.cable-modem.hdsnet.hu Feb 8 22:36:47 Feb 8 22:36:47
    2 dcffc832 220.25                 bb220-255-200-50.singnet.com.sg Feb 9 07:48:54 Feb 9 07:48:56
    5 3c10947b 60.16.148.123                                  UNKNOWN Feb 9 01:45:17 Feb 9 01:45:27
    5 5126dbcb 81.38.219.203 203.Red-81-38-219.dynamicIP.rima-tde.net Feb 9 08:28:18 Feb 9 08:28:22
   20 c8a27438 200.162.116.56                                 UNKNOWN Feb 9 06:23:27 Feb 9 06:23:58
   68 3c0c63be 60.12.99.190                                   UNKNOWN Feb 9 01:19:57 Feb 9 01:39:00
  273 da27a587 218.39.165.13                                  UNKNOWN Feb 9 04:43:08 Feb 9 04:49:18
  393 d912fd80 217.18.253.128                       ppoe245.almus.net Feb 9 04:31:08 Feb 9 04:40:17
  555 cb462f90 203.70.47.144               h144-203-70-47.seed.net.tw Feb 9 00:54:09 Feb 9 01:20:47
 1667 4734743c 71.52.116.60       fl-71-52-116-60.dhcp.sprint-hsd.net Feb 9 00:03:44 Feb 9 03:20:58
 2703 548ded26 84.141.237.38               p548DED26.dip.t-dialin.net Feb 9 00:28:33 Feb 9 01:29:26

Before the new year most everything was below 100 attempts, now I'm 
regularly seeing attempts that run for an hour and generating 
100's of connection attempts. Is anyone else seeing a change in 
spammer tactics like this or am I just lucky? ;)

Chris



More information about the list mailing list