<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [anti-spam-wg@localhost] New kind of spam attack? How to defend?


We seen a similar kind of attack for quite some time and I've spent
much too much time fighting it - blocking hosts/networks that "sneak
in" mail via the more expensive backup MX host although the "cheapest"
is known to be up, etc, etc. I also ended up in relay-blocking large
quantities of the IP space in advance, e.g.

     61.0.0.0/8
    200.0.0.0/8
    203.0.0.0/8
    210.0.0.0/8
    211.0.0.0/8
    218.0.0.0/8

and numerous /16 and /24. Effectively this takes away all the good in
having a backup MX host, so by now we've given up and have a single
MX host without backup for each (sub)domain, with a few exceptions.
Sad, but impossible to keep on.

	Gunnar Lindberg

PS
    My "relay-blocking" sendmail responds "4xx Tempfail" which should
    be OK from a protocol standpoint, but which renders the entire
    idea of a backup MX host fairly useless.
								    DS

>From anti-spam-wg-admin@localhost  Thu Oct 31 09:50:32 2002
>Date: Wed, 30 Oct 2002 11:37:54 +0100 (MET)
>From: Paul Wouters paul@localhost
>To: anti-spam@localhost
>Message-ID: <Pine.LNX.4.44.0210301127240.21515-100000@localhost>
>Subject: [anti-spam-wg@localhost] New kind of spam attack? How to defend?

>Hi people,

>I have been seeing a new kind of spam attack for which I have no solution.

>We're seeing a large distributed network sending us batches of spam for a
>domain we are fallback MX for. The IP list seems very disdributed, with a
>focus on apnic IP's. No IP sends more then about 20 batches. We're talking
>about a few thousand emails per day (while trying to fight it)

>The worst problem is that these batches are basicly bruteforced address lists.
>So we see aaabcde@localhost, aaabcdf@localhost etc. Since ofcourse the sender
>is false or disabled, this generates thousands of double bounces between
>us and the best MX host which is refusing the messages with 'user unknown'.

>I know I can get rid of the double bounces by accepting the messages and
>silently dropping them, but that still means thousands of nonsense messages
>travel from the outside to the fallback MX to the best MX.

>Has anyone else seen this kind of spam attack? So far, this is only
>happening to one co.uk domain we're fallback for, but I fear the day this
>will be the next standard delivery method for spam; I'd probably be
>forced to block port 25 for all of 200/8 and a few others :(

>I've temporarily disabled relaying for the co.uk domain to at least stop
>the attacks for now, but obviously this is not a real longterm solution.

>(sorted list of IP's in use available upon request)

>Paul Wouters
>Xtended Internet
>--
>Broerdijk 27			Postbus 170		Tel: 31-24-360 39 19
>6523 GM Nijmegen		6500 AD Nijmegen	Fax: 31-24-360 19 99
>The Netherlands			The Netherlands		info@localhost




<<< Chronological >>> Author    Subject <<< Threads >>>