[anti-spam-wg@localhost] New kind of spam attack? How to defend?
- Date: Wed, 30 Oct 2002 11:37:54 +0100 (MET)
Hi people,
I have been seeing a new kind of spam attack for which I have no solution.
We're seeing a large distributed network sending us batches of spam for a
domain we are fallback MX for. The IP list seems very disdributed, with a
focus on apnic IP's. No IP sends more then about 20 batches. We're talking
about a few thousand emails per day (while trying to fight it)
The worst problem is that these batches are basicly bruteforced address lists.
So we see aaabcde@localhost, aaabcdf@localhost etc. Since ofcourse the sender
is false or disabled, this generates thousands of double bounces between
us and the best MX host which is refusing the messages with 'user unknown'.
I know I can get rid of the double bounces by accepting the messages and
silently dropping them, but that still means thousands of nonsense messages
travel from the outside to the fallback MX to the best MX.
Has anyone else seen this kind of spam attack? So far, this is only
happening to one co.uk domain we're fallback for, but I fear the day this
will be the next standard delivery method for spam; I'd probably be
forced to block port 25 for all of 200/8 and a few others :(
I've temporarily disabled relaying for the co.uk domain to at least stop
the attacks for now, but obviously this is not a real longterm solution.
(sorted list of IP's in use available upon request)
Paul Wouters
Xtended Internet
--
Broerdijk 27 Postbus 170 Tel: 31-24-360 39 19
6523 GM Nijmegen 6500 AD Nijmegen Fax: 31-24-360 19 99
The Netherlands The Netherlands info@localhost