Weird distributed spam attack
mike at rockynet.com
Wed Nov 20 08:11:38 UTC 2002
dru-nanog at redwoodsoft.com wrote:
> Unless, I missed the posts about this,.. I just
> (and still am experiencing) a distributed spam
We get these almost continually.... it is incredibly depressing to look
at the logs. Backup-only MX here see upwards of 10K messages on bad
days, mostly attacks of that type.
Some of the domains chosen for the attack are ridiculous (are 4 valid
addresses really worth that effort?).
I have come to the conclusion that distributed dictionary attacks will
eventually get the goods. Sure you can reject by pattern match on
ainet.us for this case, but that's not going to help when someone with a
large network of spambots sets up a job that:
1) uses completely random from addresses, subject lines and message content
2) uses an attack algorithm to distribute the load so you only see any
given source IP every other day
I suspect that this type of attack is currently ongoing, underneath the
obvious noise of the cruder tools. The only solution I see for the
service provider is to recommend their subscribers choose long,
complicated usernames not likely to be found in a dictionary.
If anyone has better thoughts as to defense for the above scenario, I
would love to hear it. I used to believe that running a catchall alias
was an effective deterrent until the b*st*rds started sending complete
spams and not just RCPT TO. The only alternative I see is a blacklist
populated by some type of distributed detection system... if enough of
us under attack contributed 550 unknown user logs, there should be an
easily definable threshold for human error.
With all the spam I get, maybe mlewinski isn't such a bad idea for
username after all.
More information about the NANOG