I have a client that is getting HAMMERED
by mass SPAM emailings. In excess of 500,000 emails a
month are getting deleted on an 80 user network. His Internet connection is
totally flooded. I’ve been
working with him over the past 9 months or so and have been trying to track things
down to a single spammer or set of spammers. First, he is the target of the ‘reflected
email” attack/delivery system. He was getting loads of these. He still
gets these, but only about 100-150,000 a month. The rest are pure garbage items,
at a much heavier than normal load of SPAM for a site of his size. What’s
curious is that I have been attempting to run MID level logging in order to get
the connecting IP’s, reasoning that if I could find the IP ranges, I
could blow them off at the firewall and spare DECLUDE from having to process
the emails. But, to my surprise, after running a few PERL scripts on the logs, the
number of offending IP’s, even listing those with over 50 deletes, is something
on the order of over 2,000 ! There are no real ranges
that I can find. If I include servers sending 10 emails that DECLUDE deletes, I
have over 5 thousand for the month. It’s a massive deluge from thousands
of servers sending 4 or 5 emails a day. It’s beginning to look that
whoever is sending the mail has hundreds of zombie ‘bots out on the
internet and can direct them at will. Short of telling him he needs to just dump
his domain name and get a new one, or co-locate a server upstream at an ISP for
Declude, I am out of answers. Is anyone else seeing this type of attack ? Are Spammers now using zombie ‘bots ? Karl Drugge |
[Declude.JunkMail] Comments on this ?
IS - Systems Eng. (Karl Drugge) Fri, 07 Nov 2003 10:11:14 -0800
- RE: [Declude.JunkMail] Comments on this ? IS - Systems Eng. (Karl Drugge)
- RE: [Declude.JunkMail] Comments on th... Greg Foulks
- Re: [Declude.JunkMail] Comments o... Matthew Bramble
- Re: [Declude.JunkMail] Comments on th... Sheldon Koehler