Wired mag article on spammers playing traceroute games with trojaned boxes
David Keith
dkeith at mgmtransport.com
Thu Oct 9 16:49:17 UTC 2003
>On Thursday, October 9, 2003, at 12:24 PM, Suresh Ramasubramanian wrote:
>
> Nope - the guy would get more trojaned boxes, no shortage of unpatched
> windows machines on broadband.
>
> There are two ways to go here -
>
> * Nullroute or bogus out in your resolvers the DNS servers for this
> domain --> two problems here. One is that the spammer doesn't use
> vano-soft.biz in the smtp envelope, and second, he abuses open
> redirectors like yahoo's srd.yahoo.com
This may apply w/r/t something I've been seeing for the last couple of days.
I've been seeing e-mails into our server with the following characteristics:
1). Sent to invalid user on our domain
2). Sent from varying origins; usually, groups of three arriving ~ every
half hour
3). Origin IP on mostly home broadband networks in US
4). Frequently, purported sender's e-mail address non-US domain although
originating from US domain, with the language of the e-mail text matching
the purported sender's domain (lots of German spam...guess that's the
current flavor).
5). Invalid user send-to addresses arriving in groups in alphabetical order
(nice list processing)
It looks like person(s) responsible is using distributed network of trojaned
pcs, varying send-to mail servers every 3 messages or so. This way, spam
arrives at purported sender's address as undelivered mail bounce with our
address in the SMTP envelope, in low enough volume (they hope) not to
trigger filtering based on source IP.
I wonder about how long until legitimate mail servers start getting
blackholed because of bounce messages?
David Keith
More information about the NANOG
mailing list