Weird distributed spam attack

Mike Lewinski mike at
Wed Nov 20 08:11:38 UTC 2002

dru-nanog at wrote:

 > Unless, I missed the posts about this,.. I just
 > (and still am experiencing) a distributed spam
 > attack.

We get these almost continually.... it is incredibly depressing to look 
at the logs. Backup-only MX here see upwards of 10K messages on bad 
days, mostly attacks of that type.

Some of the domains chosen for the attack are ridiculous (are 4 valid 
addresses really worth that effort?).

I have come to the conclusion that distributed dictionary attacks will 
eventually get the goods. Sure you can reject by pattern match on for this case, but that's not going to help when someone with a 
large network of spambots sets up a job that:

1) uses completely random from addresses, subject lines and message content

2) uses an attack algorithm to distribute the load so you only see any 
given source IP every other day

I suspect that this type of attack is currently ongoing, underneath the 
obvious noise of the cruder tools. The only solution I see for the 
service provider is to recommend their subscribers choose long, 
complicated usernames not likely to be found in a dictionary.

If anyone has better thoughts as to defense for the above scenario, I 
would love to hear it. I used to believe that running a catchall alias 
was an effective deterrent until the b*st*rds started sending complete 
spams and not just RCPT TO. The only alternative I see is a blacklist 
populated by some type of distributed detection system... if enough of 
us under attack contributed 550 unknown user logs, there should be an 
easily definable threshold for human error.

With all the spam I get, maybe mlewinski isn't such a bad idea for 
username after all.

More information about the NANOG mailing list