Is there a new spambot army on the march?
We are getting HAMMERED with a dictionary attack that is on a scale we have never experienced before. We have recipient verification on our edge servers, so basically it's all just bouncing off us, but it has been impacting us as we've already had to up the maximum number of simultaneous SMTP connections 4-fold to handle the increased load. I'm starting to track the IPs, and so far after 30 minutes have found over 5000 separate IPs - so this Spambot army is pretty big. Is it only us, or are others seeing it too? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Is there a new spambot army on the march?
On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote: We are getting HAMMERED with a dictionary attack that is on a scale we have never experienced before. We have recipient verification on our edge servers, so basically it's all just bouncing off us, but it has been impacting us as we've already had to up the maximum number of simultaneous SMTP connections 4-fold to handle the increased load. I'm starting to track the IPs, and so far after 30 minutes have found over 5000 separate IPs - so this Spambot army is pretty big. Is it only us, or are others seeing it too? I may have a server side solution using spamikaze but first what is the SMTP server software taht you are using? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! New Brunswick kick out the Harper Puppet and VOTE LIBERAL on 18 Sept 2006 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Is there a new spambot army on the march?
On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote: We are getting HAMMERED with a dictionary attack that is on a scale we have never experienced before. Yeah. I had 260k user unknown entries per day last week (that's over 3 per second for a whole day straight). The weekends are always lighter, with only 110k so far today -- around 8800 different IPs so far. -- Randomly Generated Tagline: But you have to allow a little for the desire to evangelize when you think you have good news. - Larry Wall pgp5YLtoapXXh.pgp Description: PGP signature
Re: Is there a new spambot army on the march?
Theo Van Dinter wrote: On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote: We are getting HAMMERED with a dictionary attack that is on a scale we have never experienced before. Yeah. I had 260k user unknown entries per day last week (that's over 3 per second for a whole day straight). The weekends are always lighter, with only 110k so far today -- around 8800 different IPs so far. We're getting around 60/sec for over 24 hours now :-( It ain't getting in, but the logs are filling my disk ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Is there a new spambot army on the march?
The Doctor wrote: I may have a server side solution using spamikaze but first what is the SMTP server software taht you are using? We're using Qmail with assorted patches - like the recipient checking one. I think the only solution that would improve our situation would be getting these (6.5K now) IPs into the RBLs - or into our tcpserver ACL list. (I'm not really looking for a solution - more just wondering if anyone else was seeing the same thing.) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Is there a new spambot army on the march?
From: Jason Haar [EMAIL PROTECTED] Theo Van Dinter wrote: On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote: We are getting HAMMERED with a dictionary attack that is on a scale we have never experienced before. Yeah. I had 260k user unknown entries per day last week (that's over 3 per second for a whole day straight). The weekends are always lighter, with only 110k so far today -- around 8800 different IPs so far. We're getting around 60/sec for over 24 hours now :-( It ain't getting in, but the logs are filling my disk ;-) 5 MILLION a day! Who hates Trimble Navigation THAT much? (IMAO they're fairly good guys. I used to do GPS related work - satellite and ground.) {^_-} Joanne
Re: Is there a new spambot army on the march?
On Mon, Aug 21, 2006 at 11:49:54AM +1200, Jason Haar wrote: The Doctor wrote: I may have a server side solution using spamikaze but first what is the SMTP server software taht you are using? We're using Qmail with assorted patches - like the recipient checking one. I think the only solution that would improve our situation would be getting these (6.5K now) IPs into the RBLs - or into our tcpserver ACL list. (I'm not really looking for a solution - more just wondering if anyone else was seeing the same thing.) Who knows?? I know I am using spamikaze to turf the beggars. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! New Brunswick kick out the Harper Puppet and VOTE LIBERAL on 18 Sept 2006 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Is there a new spambot army on the march?
jdow wrote: We're getting around 60/sec for over 24 hours now :-( It ain't getting in, but the logs are filling my disk ;-) 5 MILLION a day! Who hates Trimble Navigation THAT much? (IMAO they're fairly good guys. I used to do GPS related work - satellite and ground.) I guess that's my point. I was wondering if this was within the normal range of dictionary attacks. I've been tracking (in realtime) the IPs sending to non-existent addresses for the past 2 hours, and we are now over 10K separate IP addresses. Sounds like those MS06-040 trojans release last week found their mark :-( Running the addresses through GeoIP shows they are all over the world. I guess we just weather the storm :-/ -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Is there a new spambot army on the march?
On 8/20/2006 8:37 PM, jdow wrote: From: Jason Haar [EMAIL PROTECTED] We're getting around 60/sec for over 24 hours now :-( It ain't getting in, but the logs are filling my disk ;-) 5 MILLION a day! Who hates Trimble Navigation THAT much? (IMAO they're fairly good guys. I used to do GPS related work - satellite and ground.) If it was Garmin, I'd say it's just a user trying to get tech support. Have fun Jason! :) Daryl
Re: Is there a new spambot army on the march?
Yeah, I've been getting hammered by these too. I've configured Postfix to do HELO checks and the vast majority (95%) are failing at the MTA. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 T: 416-247-7740 F: 416-247-7503 smime.p7s Description: S/MIME cryptographic signature