[Dshield] Something Seems to Be Spreading

Tony Earnshaw tonni at hetnet.nl
Sat Jan 27 01:43:47 GMT 2007

David Cary Hart wrote, on 26. jan 2007 23:48:

> We are seeing a tremendous increase in Paypal phishing spams from
> virgin IPs. Last week, I saw a great deal of spam with malicious
> attachments; most of it with a hyperbolic news headline or a severe
> weather alert as the subject. I guess that the two patterns can be 
> correlated.
> Many of the removal requests that these have created are coming from
> small to mid-size companies including lawyers and accountants. 

We run p0f on our (Postfix 2.3) MTA and have signaled around 80% of all 
machines connecting on port 25 as being Windows bots or spammers, of 
which again around 80% are running 2000/SP4 or under-patched XP.

FWIW we (I) refuse mail from most of these on subnets that have ever 
sent spam to spamtrap addresses (catch a lot with Postfix anti-UCE 
stuff, too). We're not a large volume site, so I read all the 
MAILER-DAEMON refusal notices, each day (3-500).

> One of these days I'd like to come up with prevalent subject lines
> and HELO patterns on our website. Right now we are deluged.

The HELO patterns are sometimes interesting, a huge amount/the majority 
of the Windows bots helo with "localhost" (which is why I installed p0f 
in the first place, I first thought they were root-kitted Unix/Linux 
bots, but no. Even by far most of the prof spammer outfits are running 
Windows, little or no spammers to our site run Unix/Linux). Subject 
lines are not important, MAIL FROM: patterns are very interesting, RCPT 
TO: patterns - well, the motivation for some of these, together with the 
associated MAIL FROM:s deserves an article somewhere. Also, I'd like to 
do an analysis on the networks attempting to spam our users' addresses - 
these come in in patterns and batches from IPs all over the world and in 
a manner that suggests that some of our users' home (Windows) machines 
have been botted. If any of the internal Windows PCs had been botted, 
I'd have noticed that long ago.

I'd like a run down on the different versions of spammer software 
running on the botted machines, too. That comes in several sorts of pattern.

> Lame excuse of the week: "The IP address had been spoofed, this has
> been corrected, we were never actually spamming from the real IP location."



Tony Earnshaw
Email: tonni at hetnet dot nl

More information about the list mailing list