[Dshield] Spam Surge and funny things with auditors

Ulf Bahrenfuss Ulf.Bahrenfuss at talkline.de
Fri Aug 31 09:37:50 GMT 2007


Hi!

As some may recall, there has been the observation that there is a new
spam surge brewing out there. 

Our outer perimeter is now seeing an average above 600 spamming attempts
per minute (about 1 Million a day) alternating between a normal 200-400
per Minute and short hard bursts (we had up to 2000 concurrent smtp
sessions inbound from spamming sources even though we do hard
disconnects to most of them). This is within the scope of the rise of
our internal long term prediction (made to substantiate our budget
increase for hardware and software). So there is nothing out of the
ordinary.

The outer firewall seeing an increase of our standard virus infection
attempts (ports 145,445 and so on). We are now up to peaks of about 4900
connects per minute in a 5 minute average. 24 hour average is at
1100/minute. So we are back to June/July standards. Vacation time is
over. The average is still okay and within the norm, but the burst start
to look bad... To get a feeling for the data: Slammer peeked at our site
at about 6-7k per Minute, before most of the providers went to snails
pace...

Then there is some insight into the spam bots out there. 2 Months ago we
reorganized our inbound layout with full new MX on new IPs with new
names.
2 months later we still get smtp connections to the old servers and they
all come from well known spam IPs. (pick your DNSRBL of choice, you will
find them). That seems to indicate, that at some bots are using
prepackaged DNS A/MX data with the spam attempt list and are not doing
any lookups on their own.

And I had a very good time a while ago with the external auditors, that
were doing an audit of our IT security. After reading the preliminary
report, I sent some advice, that they should check it for obvious
errors, but the insisted to use the report of their auditing software as
direct recommendations. Among them the most glaring "immediate action
point" was the report about my internal DNS servers. They were obviously
outdated and a security risk because they answered to a version request
with "their" version number. The number I configured to give back was
6.6.6 and that is well below known secure numbers :-) The recommendation
was to update and change the config to give back a false number or no
number, hmmmm okay
The meeting was interesting an I am still smiling...I wonder whether
they got paid in full...

Best regards

Ulf
------------------------------------------------------------------------
Der Inhalt dieser E-Mail ist nur dann rechtsverbindlich, wenn er von unserer Seite schriftlich bestatigt wird. Diese E-Mail enthalt vertrauliche Informationen. Wenn Sie wissen oder erkennen konnen, dass Sie diese vertraulichen Informationen nicht erhalten sollten, informieren Sie uns bitte und loschen Sie diese E-Mail von Ihrem System. Eine Weiterverwendung oder Verbreitung dieser vertraulichen Informationen ist nicht gestattet.

The content of this e-mail may only be deemed to be legally binding if it is confirmed by us in writing. This e-mail contains confidential information. If you know or if you can perceive that you are not intended to receive this confidential information please inform us and delete this e-mail from your system. It is not allowed to use or distribute the confidential information.

------------------------------------------------------------------------
TALKLINE GmbH & Co. KG mit Sitz in Elmshorn, AG Pinneberg HRA 1390, Ust.-ID-Nr. DE 214 084 145, Steuernr. 13/280/01306; personlich haftende Gesellschafterin: TALKLINE Verwaltungs GmbH mit Sitz in Elmshorn, AG Pinneberg HRB 2039; Geschaftsfuhrung: Christian Winther, Vorsitzender und CEO, Mogens Soegaard Hansen, CFO; Vorsitzender des Aufsichtsrats: Axel Ruckert

SEE YOU www.talkline.de




More information about the list mailing list