Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Weird distributed spam attack

  • From: Mike Lewinski
  • Date: Wed Nov 20 03:14:14 2002


dru-nanog@redwoodsoft.com wrote:

>
> Unless, I missed the posts about this,.. I just
> (and still am experiencing) a distributed spam
> attack.

We get these almost continually.... it is incredibly depressing to look at the logs. Backup-only MX here see upwards of 10K messages on bad days, mostly attacks of that type.

Some of the domains chosen for the attack are ridiculous (are 4 valid addresses really worth that effort?).

I have come to the conclusion that distributed dictionary attacks will eventually get the goods. Sure you can reject by pattern match on ainet.us for this case, but that's not going to help when someone with a large network of spambots sets up a job that:

1) uses completely random from addresses, subject lines and message content

2) uses an attack algorithm to distribute the load so you only see any given source IP every other day

I suspect that this type of attack is currently ongoing, underneath the obvious noise of the cruder tools. The only solution I see for the service provider is to recommend their subscribers choose long, complicated usernames not likely to be found in a dictionary.

If anyone has better thoughts as to defense for the above scenario, I would love to hear it. I used to believe that running a catchall alias was an effective deterrent until the b*st*rds started sending complete spams and not just RCPT TO. The only alternative I see is a blacklist populated by some type of distributed detection system... if enough of us under attack contributed 550 unknown user logs, there should be an easily definable threshold for human error.

Mike
--
With all the spam I get, maybe mlewinski isn't such a bad idea for username after all.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.