Re: DDoS Question
On Sep 28, 2007, at 6:49 AM, Ken Simpson wrote: You might want to look at some kind of edge email traffic shaping layer. So that 'Curtis Blackman' is the only one getting SMTP through to Martin and his customers? ;> Assuming nothing in the header which could be blocked by S/RTBH or ACLs (or a QoS policy), some of the various DDoS scrubbers available from different vendors may be able to deal with this via the anomalous TCP rates associated with these streams of spam, and/or regexp. --- Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice I don't sound like nobody. -- Elvis Presley
RE: DDoS Question
Did you check the source IP in the headers? My logs show that they are coming from a buncha residential IP addresses so its prolly a bot network doing it. Most of the messages going through our servers with that have the domain lifeleaksfromyo.com in it which is causing the messages to fail in our servers. You can always try the rbl that lists a lot of residential IP's in it...i think it's the PBL from spamhaus. That would help limit it, and blocking emails with the domain lifeleaksfromyo.com Other then that I'm out of ideas. What spam appliance are you using? Raymond Corbin HostMySite.com 877.215.4678 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Hannigan Sent: Thursday, September 27, 2007 7:32 PM To: nanog@merit.edu Subject: DDoS Question Folks, I'm receiving about 25K spams per minute with this subject: Subject: "Looking for Sex Tonight? Curtis Blackman" They randomize the name on the subject line. Is this any particular virus/malware/zombie signature and any suggestion on how to defend against it besides what I'm already doing (which is all of the obvious, rbls, spam appliances, hot cocoa, etc.)? This happened right around the time I started securing the name server infrastructure with BIND upgrades and recursor/authoritative NS splitting. :-) Best, Marty
Re: DDoS Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > They randomize the name on the subject line. Is this any particular > virus/malware/zombie signature and any suggestion on how to defend > against it besides what I'm already doing (which is all of the > obvious, rbls, spam appliances, hot cocoa, etc.)? > > This happened right around the time I started securing the name server > infrastructure with BIND upgrades and recursor/authoritative NS > splitting. :-) RBLs are only effective against perhaps 50% of spam traffic, because so much of it comes from never-seen-before zombies. What appliances are you running? You might want to look at some kind of edge email traffic shaping layer. Regards, Ken - -- Ken Simpson CEO, MailChannels Fax: +1 604 677 6320 Web: http://mailchannels.com MailChannels - Reliable Email Delivery (tm) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG/EGb2YHPr/ypq5QRAuKNAKCYqf7uVoJmSAdKSSFH1NOTsLsZ6gCgk1Id 7+dI9UOemZtgqAI5pM+LwY4= =V0fG -END PGP SIGNATURE-
Re: DDoS Question
On 9/27/07, Raymond L. Corbin <[EMAIL PROTECTED]> wrote: > Did you check the source IP in the headers? My logs show that they are > coming from a buncha residential IP addresses so its prolly a bot > network doing it. Most of the messages going through our servers with > that have the domain lifeleaksfromyo.com in it which is causing the > messages to fail in our servers. You can always try the rbl that lists a > lot of residential IP's in it...i think it's the PBL from spamhaus. That > would help limit it, and blocking emails with the domain > lifeleaksfromyo.com Other then that I'm out of ideas. What spam > appliance are you using? Raymond, all: Thanks for all the responses, public and private. I did, and am, watching the sources. It's uninteresting in terms of capability to act since it's spread out pretty widely and it's obviously difficult to tell what will and will not cause collateral damage. I'll capture some source traffic and put it out on the web for all the researches that replied looking for sample data. I think I can probably pcap something that won't violate any privacy laws where this is. In the meantime, here's some sources that are in the top tier of connections: 3215| 86.195.231.168 | AS3215 France Telecom - Orange 3269| 87.19.141.208| ASN-IBSNAZ TELECOM ITALIA 3320| 84.148.13.150| DTAG Deutsche Telekom AG 3320| 84.148.13.150| DTAG Deutsche Telekom AG 3320| 84.148.13.150| DTAG Deutsche Telekom AG 3320| 84.148.13.150| DTAG Deutsche Telekom AG 6746| 89.136.159.120 | ASTRAL ASTRAL Telecom SA, Romania 7132| 67.120.22.10 | SBIS-AS - AT&T Internet Services 9121| 78.180.16.161| TTNET TTnet Autonomous System 9121| 85.108.127.90| TTNET TTnet Autonomous System 9121| 85.108.127.90| TTNET TTnet Autonomous System 9121| 85.108.127.90| TTNET TTnet Autonomous System 10796 | 71.79.216.254| SCRR-10796 - Road Runner HoldCo LLC 10796 | 71.79.216.254| SCRR-10796 - Road Runner HoldCo LLC 19262 | 71.254.34.123| VZGNI-TRANSIT - Verizon Internet Services Inc. 22773 | 64.58.163.237| CCINET-2 - Cox Communications Inc. 25041 | 91.125.42.251| BRIGHTVIEW-UK-AS Brightview Internet Services AS 35911 | 24.212.10.244| BNQ-1 - Telebec 35911 | 24.212.10.244| BNQ-1 - Telebec
Re: DDoS Question
On Thu, 27 Sep 2007, Martin Hannigan wrote: They randomize the name on the subject line. Is this any particular virus/malware/zombie signature Nothing particularly new. The Bots have been pumping this one out for at least a month, although the subject line has a few variations besides just changing the name. I guess they just finally got around to you. and any suggestion on how to defend against it besides what I'm already doing (which is all of the obvious, rbls, spam appliances, hot cocoa, etc.)? See all the previous mail threads about ISPs not doing anything :-) Stop the bots on your networks; work with people to stop the bots on other networks; work with law enforcement to put the criminals in prison. In the mean time, continue to spend on resources to mail servers, security appliances, and more blacklists.
Re: DDoS Question
This problem is easily solved by simply rejecting mail sent by servers on dynamic IP ranges...
Re: DDoS Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Sean Donelan <[EMAIL PROTECTED]> wrote: >See all the previous mail threads about ISPs not doing anything :-) > >Stop the bots on your networks; work with people to stop the bots >on other networks; work with law enforcement to put the criminals >in prison. I don't want to pour gasoline on a burning fire (well, okay -- maybe I do), but this issue is really out of hand. I mean, the top ASN-originating "offender" pumped out somewhere in the neighborhood of 2.27 billion (yes, "Billion", with a "B") spam messages in the past 24 hours (from our perspective): https://nssg.trendmicro.com/nrs/reports/rank.php?page=1 ...and that's just the figure for one ASN with a bot problem. And since virtually _all_ spam these days is botnet-generated... ...it gets worse, but I won't get into it here. It's a very frustrating problem. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFG/H2fq1pz9mNUZTMRAs+4AKCTVcHwv3GwpSC9f97wwlu1dtCH4ACgvCkg HBzR70yuEJTtidFmF5NmV7Q= =OnBX -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: DDoS Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Hex Star" <[EMAIL PROTECTED]> wrote: > This problem is easily solved by simply rejecting mail sent by servers on > dynamic IP ranges... Great. I guess we can all go home now. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFG/IHXq1pz9mNUZTMRAveDAKD+NuO5KxZBod2tFqh2C6Y97V/eDQCbBwiN wCTDJbwN4XSxd0xdxpq7pig= =dKvk -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: DDoS Question
On 9/28/07, Paul Ferguson <[EMAIL PROTECTED]> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- "Hex Star" <[EMAIL PROTECTED]> wrote: > > > This problem is easily solved by simply rejecting mail sent by servers on > > dynamic IP ranges... > > Great. I guess we can all go home now. :-) As long as we leave our wallets on our desks, no problem. :-) Summary of private responses: - Use LDAP - Use regexp and kill, kill, kill - Send me your data! All very good suggestions, but I thought of that and I have a variety of issues that limit me to my existing environment and do not allow fast and easy deployment of enhancements. One being I'm tied into a big OSS. Over this year I've expended significant amounts of time and energy on a problem that is created by people that are exploiting the Internet for profit which the vast majority is either fraud or identity theft oriented. Mail is a huge expense and sending it the way of usenet, outsourced en-masse using cheap and fast OEM interfaces and services, is the right thing to do. After researching the outsourced mail options, I found that the market is not mature or flexible enough yet. For example, we need the hook into automated systems, we need some level of control for front line support, and we need assurances that the provider will comply with the laws of where *the subscribing network* may be regulated. Not another country. If we get a subpoena or surveillance request, we need to be in the loop since we (and you all) are regulated. Google was my best hope and it was too bad they barely responded. The application suite for ISP's might have been ok if it were tuned up a little, or had more information and a real person running the program. They seem to have the right idea. Throw massive reasons at the problem, build user base, generate ad revenue to pay for it, and sell services to others i.e. anti-fraud and anti-phishing. Best, Martin
Re: DDoS Question
On Thu, 27 Sep 2007, Ken Simpson wrote: > > RBLs are only effective against perhaps 50% of spam traffic, because > so much of it comes from never-seen-before zombies. I'm seeing 80%-90% of spam blocked by the Spamhaus ZEN list, which includes the PBL for blocking home computers, infected or not. Tony. -- f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/ IRISH SEA: SOUTHERLY, BACKING NORTHEASTERLY FOR A TIME, 3 OR 4. SLIGHT OR MODERATE. SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.
Re: DDoS Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > > RBLs are only effective against perhaps 50% of spam traffic, because > > so much of it comes from never-seen-before zombies. > > I'm seeing 80%-90% of spam blocked by the Spamhaus ZEN list, which > includes the PBL for blocking home computers, infected or not. Sorry, should have added, "Your Results May Vary" :) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG/Uev2YHPr/ypq5QRAmX4AJ0bQA3KScyMBLjwWzhnZq5nFlGj3wCfR7nc JO5q/i7gJTHK1N3Izfvlp8I= =C8VF -END PGP SIGNATURE-
Re: DDoS Question
Raymond L. Corbin wrote: messages to fail in our servers. You can always try the rbl that lists a lot of residential IP's in it...i think it's the PBL from spamhaus. That would help limit it, and blocking emails with the domain You'd have better luck with SORBS DUHL if you don't want to pay for Spamhaus data. (a peak of 192 messages/minute and an average of 4 messages per minute were considered excessive enough for my DSL's to be blocked by Spamhaus). I would also suggest NJABL as it used to list dynamics, except it is not listing just dynamics now, and it has merged into Spamhaus as the PBL. Of course Trend are now running what was MAPS, which is another pay for service which is also useful. Regards, Mat
ISP support for Email (was Re: DDoS Question)
On Fri, 28 Sep 2007, Martin Hannigan wrote: After researching the outsourced mail options, I found that the market is not mature or flexible enough yet. For example, we need the hook into automated systems, we need some level of control for front line support, AT&T, Verizon, BT and so on have outsourced most of their subscriber email to other vendors (MSN and Yahoo) for years. I think they are the poster-children for companies with big, unwieldy OSSes. Likewise Critical Path has made a decent business supporting white label e-mail for many ISPs around the world. I've saw the duct tape from the inside and the outside. It ain't pretty, but they seem to make it work. and we need assurances that the provider will comply with the laws of where *the subscribing network* may be regulated. Not another country. If we get a subpoena or surveillance request, we need to be in the loop since we (and you all) are regulated. Of course, you could outsource your legal support to trusted third party vendors too :-) For only a small fee, they will solve all the problems. Google was my best hope and it was too bad they barely responded. The application suite for ISP's might have been ok if it were tuned up a little, or had more information and a real person running the program. They seem to have the right idea. Throw massive reasons at the problem, build user base, generate ad revenue to pay for it, and sell services to others i.e. anti-fraud and anti-phishing. Why should ISPs still pay to support subscriber e-mail either inhouse or outsourced, any more than paying to support USENET, Chat, FTP/HTTP Hosting, etc? Let subscribers choose whichever "free" or "fee-based" supplier, and wash your hands of both the support issues and the legal compliance issues.
Re: ISP support for Email (was Re: DDoS Question)
Why should ISPs still pay to support subscriber e-mail either inhouse or outsourced, any more than paying to support USENET, Chat, FTP/HTTP Hosting, etc? Let subscribers choose whichever "free" or "fee-based" supplier, and wash your hands of both the support issues and the legal compliance issues. For better or worse, whatever hoops you can make a customer have to jump through to leave may keep them your customer 'by force'. Its hard to change your email address and notify everyone on your address book and the sites you may have used it to sign up with. It may not be right, but it does seem to work. Also, having your domain on that customers email address is low cost advertising. sam