Distributed Dictonary email slam
Matt Hess
mhess at solarius.org
Sun Sep 5 21:39:50 UTC 2004
We are secondary mx for a specific domain that has been hammered since
friday night. We've accumulated literally thousands of email messages in
our queue while the primary mx at the customer site is out of service
yet again. In looking at the queue it appears that it's one heck of a
dictionary based slam. Interesting thing about this is that it is
distributed.. entire dictionary destination addresses such as
bene*@domain.com come from one host (apparently with a trojan on it or
otherwise) while benf*@domain.com come from yet a different host.. and
so on down the alphabet all the while constantly changing source hosts..
Now being as we are a secondary mx I'm dropping their record out of our
email system as I write this, however, I am curious if other have gone
through or are currently going through something of this magnitude (12K
spam/dictionary msgs per hour destined to one domain and that's just
what is getting past the blacklist checks). Normally I see my spam block
daemon at around 10 - 15 concurrent requests.. right now it's tearing
along at around 160 - 180 concurrent bad connections.
And of course a few suggestions to mitigate this would be appreciated..
I currently employ multiple blacklists such as spamcop.net, abuseat.org,
spews level 1 and 2, and spamhaus, plus my own blocklists for china and
korea to check on incoming email source addresses.
More information about the NANOG
mailing list