[Dshield] Something Seems to Be Spreading
tonni at hetnet.nl
Sat Jan 27 01:43:47 GMT 2007
David Cary Hart wrote, on 26. jan 2007 23:48:
> We are seeing a tremendous increase in Paypal phishing spams from
> virgin IPs. Last week, I saw a great deal of spam with malicious
> attachments; most of it with a hyperbolic news headline or a severe
> weather alert as the subject. I guess that the two patterns can be
> Many of the removal requests that these have created are coming from
> small to mid-size companies including lawyers and accountants.
We run p0f on our (Postfix 2.3) MTA and have signaled around 80% of all
machines connecting on port 25 as being Windows bots or spammers, of
which again around 80% are running 2000/SP4 or under-patched XP.
FWIW we (I) refuse mail from most of these on subnets that have ever
sent spam to spamtrap addresses (catch a lot with Postfix anti-UCE
stuff, too). We're not a large volume site, so I read all the
MAILER-DAEMON refusal notices, each day (3-500).
> One of these days I'd like to come up with prevalent subject lines
> and HELO patterns on our website. Right now we are deluged.
The HELO patterns are sometimes interesting, a huge amount/the majority
of the Windows bots helo with "localhost" (which is why I installed p0f
in the first place, I first thought they were root-kitted Unix/Linux
bots, but no. Even by far most of the prof spammer outfits are running
Windows, little or no spammers to our site run Unix/Linux). Subject
lines are not important, MAIL FROM: patterns are very interesting, RCPT
TO: patterns - well, the motivation for some of these, together with the
associated MAIL FROM:s deserves an article somewhere. Also, I'd like to
do an analysis on the networks attempting to spam our users' addresses -
these come in in patterns and batches from IPs all over the world and in
a manner that suggests that some of our users' home (Windows) machines
have been botted. If any of the internal Windows PCs had been botted,
I'd have noticed that long ago.
I'd like a run down on the different versions of spammer software
running on the botted machines, too. That comes in several sorts of pattern.
> Lame excuse of the week: "The IP address had been spoofed, this has
> been corrected, we were never actually spamming from the real IP location."
Email: tonni at hetnet dot nl
More information about the list