[Dshield] Heavy spamming vs DoS?

Shawn Cox shawn.cox at pcca.com
Fri Feb 10 13:44:32 GMT 2006


I have seen similar.  Beginning right at the new year.  I have a Barracuda 
300 that will drop connections pre mail routine if it knows it's from a 
known illigitimate source.  It also has a rate control feature that has 
really gone through the roof(from 20 rate controlled IP's per day to over 
1,000 per day).

Your userbase could be responsile too.   I had a new employee come in the 
second week of January, and she became the top Spam recipient within 6 days. 
I dunno how she did it, but shes now receiving more than 2000 spam messages 
per day.  Thats 1900 more than I get a day and my address has been around 
for 10 years...

--Shawn

----- Original Message ----- 
From: "Chris Phillips" <ChrisPhillips at LGonQn.ORG>
To: "DShield" <list at lists.dshield.org>
Sent: Thursday, February 09, 2006 8:38 AM
Subject: [Dshield] Heavy spamming vs DoS?


> Lately  (since the new year) I've been hit with extremely
> heavy spammer loads. Seems like a different pattern than
> the normal spamming I've been accustomed to before, which
> was basically an attempt to deliver email. (This is a
> small site with virtually no reason to be a target but...).
>
> Heres the pattern from last night
> (2nd col is hex ip addr for sort convenience):
>
> % ~/bin/NSinceAcc "Feb  8 22" | sort
>    1 3dfbcd3b 61.251.205.59                                  UNKNOWN Feb 9 
> 00:01:45
>    1 44b9fb24 68.185.251.36   68-185-251-36.dhcp.leds.al.charter.com Feb 9 
> 00:01:47
>    1 534e772b 83.78.119.43              43.119.78.83.cust.bluewin.ch Feb 9 
> 02:20:42
>    1 5560536e 85.96.83.110         dsl.dynamic859683110.ttnet.net.tr Feb 9 
> 04:41:47
>    1 5701be57 87.1.190.87        host87-190.pool871.interbusiness.it Feb 9 
> 00:01:35
>    1 cbc6a27c 203.198.162.124             ipvpn073124.netvigator.com Feb 9 
> 00:01:29
>    1 dccb332d 220.203.51.45                                  UNKNOWN Feb 9 
> 00:01:53
>    2 54abb889 84.171.184.137           p54ABB889.dip0.t-ipconnect.de Feb 8 
> 23:48:38 Feb 8 23:48:39
>    2 567f2a84 86.127.42.132      86-127-42-132.cable-modem.hdsnet.hu Feb 8 
> 22:36:47 Feb 8 22:36:47
>    2 dcffc832 220.25                 bb220-255-200-50.singnet.com.sg Feb 9 
> 07:48:54 Feb 9 07:48:56
>    5 3c10947b 60.16.148.123                                  UNKNOWN Feb 9 
> 01:45:17 Feb 9 01:45:27
>    5 5126dbcb 81.38.219.203 203.Red-81-38-219.dynamicIP.rima-tde.net Feb 9 
> 08:28:18 Feb 9 08:28:22
>   20 c8a27438 200.162.116.56                                 UNKNOWN Feb 9 
> 06:23:27 Feb 9 06:23:58
>   68 3c0c63be 60.12.99.190                                   UNKNOWN Feb 9 
> 01:19:57 Feb 9 01:39:00
>  273 da27a587 218.39.165.13                                  UNKNOWN Feb 9 
> 04:43:08 Feb 9 04:49:18
>  393 d912fd80 217.18.253.128                       ppoe245.almus.net Feb 9 
> 04:31:08 Feb 9 04:40:17
>  555 cb462f90 203.70.47.144               h144-203-70-47.seed.net.tw Feb 9 
> 00:54:09 Feb 9 01:20:47
> 1667 4734743c 71.52.116.60       fl-71-52-116-60.dhcp.sprint-hsd.net Feb 9 
> 00:03:44 Feb 9 03:20:58
> 2703 548ded26 84.141.237.38               p548DED26.dip.t-dialin.net Feb 9 
> 00:28:33 Feb 9 01:29:26
>
> Before the new year most everything was below 100 attempts, now I'm
> regularly seeing attempts that run for an hour and generating
> 100's of connection attempts. Is anyone else seeing a change in
> spammer tactics like this or am I just lucky? ;)
>
> Chris
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own 
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 



More information about the list mailing list