Re: [Declude.JunkMail] Spammers bypassing gateways?

[Matt]

The guy primarily spams asian sites from what I can tell, but also targets AOL.  One of the servers he knocked off line is an 80 seat law firm, and trust me they were quite willing to hunt the guy down, but in this case it wasn't realistic, or at least I so advised.  I have though seen similar patterns in some english spams, probably from the same guy, but he's clearly based overseas.  He is though one of the biggest problems on the Internet, and you can credit him with single-handedly ruining the nobody alias on my server by forging from addresses from multiple local domains.  His pattern is easy to spot in a Joe-Job, it's always a capital first letter followed by a long string of random characters in the forged from address.  I can't see how everyone isn't seeing this if they host multiple domains. If I could trace this stuff back to someone like Ralsky, I would be doing plenty of pro bono research :) Matt Adam Lukasiewicz wrote: Matt, Have you turned this "turd" in??? Adam -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Tuesday, March 23, 2004 11:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Spammers bypassing gateways? Andrew, This is definitely stuff going to harvested (real) addresses with full spam content. I've seen the full headers as well. I've seen the relay testing from spammers before, in fact the same turd brought down two different clients of mine in the space of one week, both running GroupWise 5.5, one secure, the other not, but the spammer didn't care and proceeded to hammer them at 3 messages a second non-stop. The guy didn't even bother to verify if the first server would relay or not, he just took the fact that it accepted the E-mail and then stuck some zombie on it. I see the same turd hit my server a few times a week. This is the same guy that is responsible for the majority of the Joe-Jobs using my customers' domains. He performs dictionary attacks on asian sites. Right now I am not certain enough about the guessing being reality for me to tell anyone to jump through hoops on a whim. With the current open situation I know a way around it, but sooner or later I will find a customer that makes use of SMTP AUTH and can't be firewalled or resolved with a filter following the connection. I am though strongly suggesting that everyone not name their servers mail.domain.tld or smtp.domain.tld, and that they use something unique in the name so that it can't be guessed. Although this might not be possible, I'm looking for conclusive proof of this, and if none is available, as much anecdotal stuff as possible :) Thanks, Matt Colbeck, Andrew wrote: For what it's worth, I haven't seen anything in the security literature about spammers operating that way. Any chance that the affected organizations had, at some time, addresses of the form: [EMAIL PROTECTED] which isn't uncommon? I've seen at least one private company that advertised their addresses as [EMAIL PROTECTED] but their reply-to: was [EMAIL PROTECTED] so they received spam at both. Anecdotally, I can also relate that I've seen torrents of smtp traffic aimed at a dynamic IP; I presumed that the previous owner had an open mail relay there. Andrew 8) -----Original Message----- From: Matt [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 23, 2004 6:12 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spammers bypassing gateways? I've been wondering about the possibility and I think that I'm seeing proof of this now. With gateway spam blocking services becoming more common, are spammers (zombie-types) now starting to attempt direct connections to mail.domain.tld instead of relying on MX records? I've been advising new clients to avoid standard names such as mail and smtp for their mail servers due to the possibility of this happening. Twice now I have done switches though with servers named mail.domain.tld that continued to be spammed directly for weeks after the MX changed took place. The only other possibility that I can think of is that some spamware is caching the IP's or MX records. Has anyone else seen this? Thanks, Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================