Weird distributed spam attack

sjj at pobox.com sjj at pobox.com
Fri Nov 22 15:54:30 UTC 2002


> >2) uses an attack algorithm to distribute the load so you only see 
> >any given source IP every other day
> Yep. My list of "attacking IP's" was several thousand deep before I gave up.

 Back when I used to analyze dialup spammers (well over a year ago) I felt that
a large part of the spam problem could be traced back to just a handful of very
prolific abusers.  Some were "professionals", with 4 to 8 phone lines at home,
others seemed to be mixing their home and work phone access.  One(?)  person
laundered all his calls through 800-number accessible switchboards (hotels and
resorts).  I still think pursuing just these heavy hitters could pay off big
for everyone.  For a short time at least.

 If you want to try some simple analysis on your own:
  - once you have a spammer's userid and caller ID, pull every record for that
userid and caller ID.  This will give you several new userids and phone
numbers.  Pull all of those too, and keep repeating until nothing new pops out.
Search all of your logs, for as far back as possible.  Watch out for mixed case
and trailing spaces.
  - every few iterations, use a round of reverse number lookups at anywho.com,
and the address and name lookups at infospace.com to expand your phone numbers.
  - if any of the numbers trace back to businesses, knock off (wild card) the
last one or two digits of the phone numbers and search again.
  - Google any distinctive (personal?) userids.

(obNanog: I doubt many other groups' members have access to the needed records)



More information about the NANOG mailing list