[Dshield] Extreme increase in spam attempts... any one else seeing similar event?

Chris Mitchell cmitchell at smtusa.com
Fri Aug 17 14:35:56 GMT 2007


We have seen this in the last 2 days, Tues/Wed I found the majority was
coming form Amsterdam, after blocking the IP ranges I could find for them,
everything seems to be back to normal.  We are a small ISP, and were seeing
about 60,000 messages to invalid recipients an hour.  Would love to know
what happened or is happening that would cause an increase like this.

Chris

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Chris Phillips
Sent: Friday, August 17, 2007 10:26 AM
To: list at lists.dshield.org
Subject: [Dshield] Extreme increase in spam attempts... any one else seeing
similar event?

Hi

Since yesterday (16 Aug 6pm EDT) I am seeing a HUGE increase in spam 
activity:
sed -n '/^Aug 16 18/,$p' /var/log/smtpd.log | egrep 'Not allowed' | wc -l
   12110
sed -n '/^Aug 16 18/,$p' /var/log/smtpd.log | egrep 'Not allowed' | 
egrep UNKNOWN | wc -l
     480
(This is less than 24 hours ! )
vs
a previous 24 hour period...
sed -n '/^Aug 14 18/,/^Aug 15 18/p' /var/log/smtpd.log | egrep 'Not 
allowed' | wc -l
     115
sed -n '/^Aug 14 18/,/^Aug 15 18/p' /var/log/smtpd.log | egrep 'Not 
allowed' | egrep 'UNKNOWN' | wc -l
      38

The interesting factor is that the majority of this is coming from DNS 
registered hosts:
480 out of 12110 = 4% not registered
as opposed to 38 out of 115 = 38% normally...

Any ideas about what might be happening?

(Also note that these almost totally  don't have valid local
email addresses as the recipient, though the domain seems
to be correct mostly.
[This is from hand sampling so I don't have specific #'s])

C

_________________________________________
SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
instructors, and a great tools and solutions expo. Register today!
http://www.sans.org/info/4651 (brochure code ISC)



More information about the list mailing list