The idea though that you are getting hammered primarily by 2,000 IP addresses isn't surprising IMO. That Pexicom spammer that I tracked down the other day has 1,000 IP's at his disposal, and he uses many of these addresses in order to prevent himself from a perma-listing on the RBL's. SBL has a lot of similar addresses, though their ranges can be incomplete. It might be very effective to try and get the SBL listing configured in your router as a block list. I don't think that I've ever seen a FP from SBL, and they claim that 90% of spam comes from just their ROSCO list alone (which is incomplete so actual effectiveness will be much lower regardless of the claim).
I think that normal spam traffic would probably be on the order of 500 per user per month on average, so this seems way out of hand (by a factor of 10).
And as far as your zombie question, most definitely, but this is only the crud type of spam (sex, pills, body modification, etc.). Recent virus outbreaks have opened up a countless number of machines which are no longer effectively tracked with the open relay block lists.
Matt
Greg Foulks wrote:
spammers are getting smarter and are findings ways to get around our tests. I'm getting to the point to where I am about to cut off everyone from sending email to us and setting up a phone number so that people who want to send us email have to call in and subscribe.
Greg -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Friday, November 07, 2003 11:41 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Comments on this ?
I have a client that is getting HAMMERED by mass SPAM emailings. In excess
of 500,000 emails a month are getting deleted on an 80 user network. His
Internet connection is totally flooded. I've been working with him over the
past 9 months or so and have been trying to track things down to a single
spammer or set of spammers.
First, he is the target of the 'reflected email" attack/delivery system. He was getting loads of these. He still gets these, but only about 100-150,000 a month. The rest are pure garbage items, at a much heavier than normal load of SPAM for a site of his size. What's curious is that I have been attempting to run MID level logging in order to get the connecting IP's, reasoning that if I could find the IP ranges, I could blow them off at the firewall and spare DECLUDE from having to process the emails. But, to my surprise, after running a few PERL scripts on the logs, the number of offending IP's, even listing those with over 50 deletes, is something on the order of over 2,000 ! There are no real ranges that I can find. If I include servers sending 10 emails that DECLUDE deletes, I have over 5 thousand for the month. It's a massive deluge from thousands of servers sending 4 or 5 emails a day. It's beginning to look that whoever is sending the mail has hundreds of zombie 'bots out on the internet and can direct them at will.
Short of telling him he needs to just dump his domain name and get a new one, or co-locate a server upstream at an ISP for Declude, I am out of answers.
Is anyone else seeing this type of attack ? Are Spammers now using zombie 'bots ?
Karl Drugge
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
