[Dshield] Heavy spamming vs DoS?

Jim McCullough jim.mccullough at gmail.com
Fri Feb 10 15:54:24 GMT 2006


I've seen this similiarly on a server handling 3 different domains. 
Most of which started picking up about a week before the Thanksgiving
holiday.   Spam connections picked up in spam assassin are being
pushed to iptables for blocking.   At this point I personally dont
want to think about the number of blocks for spammers in the tables
db.   Primary receiver is the system owner's ex.  Last count had
approx 5k+ spam's per day hitting her account.     From the logs at
the end of last week, 87% of the spam attempts were dynamic ip
addresses.   Currently some blacklists were enabled and just waiting
on the stats at the end of the week to be generated.

On 2/10/06, Shawn Cox <shawn.cox at pcca.com> wrote:
> I have seen similar.  Beginning right at the new year.  I have a Barracuda
> 300 that will drop connections pre mail routine if it knows it's from a
> known illigitimate source.  It also has a rate control feature that has
> really gone through the roof(from 20 rate controlled IP's per day to over
> 1,000 per day).
>
> Your userbase could be responsile too.   I had a new employee come in the
> second week of January, and she became the top Spam recipient within 6 days.
> I dunno how she did it, but shes now receiving more than 2000 spam messages
> per day.  Thats 1900 more than I get a day and my address has been around
> for 10 years...
>
> --Shawn
>
> ----- Original Message -----
> From: "Chris Phillips" <ChrisPhillips at LGonQn.ORG>
> To: "DShield" <list at lists.dshield.org>
> Sent: Thursday, February 09, 2006 8:38 AM
> Subject: [Dshield] Heavy spamming vs DoS?
>
>
> > Lately  (since the new year) I've been hit with extremely
> > heavy spammer loads. Seems like a different pattern than
> > the normal spamming I've been accustomed to before, which
> > was basically an attempt to deliver email. (This is a
> > small site with virtually no reason to be a target but...).
> >
> > Heres the pattern from last night
> > (2nd col is hex ip addr for sort convenience):
> >
> > % ~/bin/NSinceAcc "Feb  8 22" | sort
> >    1 3dfbcd3b 61.251.205.59                                  UNKNOWN Feb 9
> > 00:01:45
> >    1 44b9fb24 68.185.251.36   68-185-251-36.dhcp.leds.al.charter.com Feb 9
> > 00:01:47
> >    1 534e772b 83.78.119.43              43.119.78.83.cust.bluewin.ch Feb 9
> > 02:20:42
> >    1 5560536e 85.96.83.110         dsl.dynamic859683110.ttnet.net.tr Feb 9
> > 04:41:47
> >    1 5701be57 87.1.190.87        host87-190.pool871.interbusiness.it Feb 9
> > 00:01:35
> >    1 cbc6a27c 203.198.162.124             ipvpn073124.netvigator.com Feb 9
> > 00:01:29
> >    1 dccb332d 220.203.51.45                                  UNKNOWN Feb 9
> > 00:01:53
> >    2 54abb889 84.171.184.137           p54ABB889.dip0.t-ipconnect.de Feb 8
> > 23:48:38 Feb 8 23:48:39
> >    2 567f2a84 86.127.42.132      86-127-42-132.cable-modem.hdsnet.hu Feb 8
> > 22:36:47 Feb 8 22:36:47
> >    2 dcffc832 220.25                 bb220-255-200-50.singnet.com.sg Feb 9
> > 07:48:54 Feb 9 07:48:56
> >    5 3c10947b 60.16.148.123                                  UNKNOWN Feb 9
> > 01:45:17 Feb 9 01:45:27
> >    5 5126dbcb 81.38.219.203 203.Red-81-38-219.dynamicIP.rima-tde.net Feb 9
> > 08:28:18 Feb 9 08:28:22
> >   20 c8a27438 200.162.116.56                                 UNKNOWN Feb 9
> > 06:23:27 Feb 9 06:23:58
> >   68 3c0c63be 60.12.99.190                                   UNKNOWN Feb 9
> > 01:19:57 Feb 9 01:39:00
> >  273 da27a587 218.39.165.13                                  UNKNOWN Feb 9
> > 04:43:08 Feb 9 04:49:18
> >  393 d912fd80 217.18.253.128                       ppoe245.almus.net Feb 9
> > 04:31:08 Feb 9 04:40:17
> >  555 cb462f90 203.70.47.144               h144-203-70-47.seed.net.tw Feb 9
> > 00:54:09 Feb 9 01:20:47
> > 1667 4734743c 71.52.116.60       fl-71-52-116-60.dhcp.sprint-hsd.net Feb 9
> > 00:03:44 Feb 9 03:20:58
> > 2703 548ded26 84.141.237.38               p548DED26.dip.t-dialin.net Feb 9
> > 00:28:33 Feb 9 01:29:26
> >
> > Before the new year most everything was below 100 attempts, now I'm
> > regularly seeing attempts that run for an hour and generating
> > 100's of connection attempts. Is anyone else seeing a change in
> > spammer tactics like this or am I just lucky? ;)
> >
> > Chris
> >
> > _________________________________________
> > Learn about Intrusion Detection in Depth from the comfort of your own
> > couch:
> > https://www.sans.org/athome/details.php?id=1341&d=1
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>


--
Jim McCullough
MS WindowsXP - the lazy man's way to frustration, anger, and total
psychological breakdown.



More information about the list mailing list