[Dshield] Extreme increase in spam attempts... any one else seeing similar event?

Jim McCullough jim.mccullough at gmail.com
Fri Aug 17 23:56:21 GMT 2007


The problem with backscatter is the same problem with the end users.
As colo servers become cheaper and available to the masses; along with
"user friendly interfaces", we will see the back scatter issue
continue.  Mainly on three basic reasons: politics of organizations,
admins thinking "not me", and shear ignorance on the admin's part.

The problem with tracking back scatter is that alot of it comes
through either compromised servers/systems and/or forged headers.  If
you start blocking based on backscatter also, expect to see your
customers ( ie users ) become very annoyed with you.  Annoy the higher
ups in a corp/gov and expect reprocussions.  If your providing a
service to web hosting customers and they start complaining about
emails not coming through, they will move.

If its one's own personal network, and they dont mind missing some
emails because of backscatter.  Then that's their own choice.
However, I would advise against this type of action due to the
potential backlash in general it could receive for a company or gov
organization.

-- 
Jim McCullough

"Just because the standard provides a cliff in front of you, you are
not necessarily required to jump off it."

    Norman Diamond


On 8/17/07, Dotzero <dotzero at gmail.com> wrote:
> On 8/17/07, Tony Earnshaw <tonni at hetnet.nl> wrote:
> >
> > That sort of thing is very often backscatter from joe jobs, i.e. a bot
> > network sending out spam with the smtp 'MAIL FROM:' with one of your
> > valid addresses and the receiving MTA bouncing it (as opposed to smtp
> > refusing it).
> >
>
> What's interesting to me are the number of MTAs that will still
> backscatter on joe jobs even if the abused domain makes a strong
> (-all) SPF assertion. I'd argue that this type of backscatter should
> be considered spam as well.
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
>


More information about the list mailing list