Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Weird distributed spam attack

  • From: chuck goolsbee
  • Date: Wed Nov 20 04:21:12 2002


 > Unless, I missed the posts about this,.. I just
 (and still am experiencing) a distributed spam
 attack.
We get these almost continually....
Yep... same here.


it is incredibly depressing to look at the logs. Backup-only MX here see upwards of 10K messages on bad days, mostly attacks of that type.
yep same here... before we ducked for cover (see below) I could grep 800 megs of just "REJECTED" out of our maillog file (two per day). Very depressing.

To make it even more depressing we were only getting harvested on about two dozen of the several thousand domains we run MX for.


Some of the domains chosen for the attack are ridiculous (are 4 valid addresses really worth that effort?).
Well, they don't know that until the dictionary the domain do they? <Sigh.>


I have come to the conclusion that distributed dictionary attacks will eventually get the goods. Sure you can reject by pattern match on ainet.us for this case, but that's not going to help when someone with a large network of spambots sets up a job that:

1) uses completely random from addresses, subject lines and message content
Correct. That is exactly what we have seen.


2) uses an attack algorithm to distribute the load so you only see any given source IP every other day
Yep. My list of "attacking IP's" was several thousand deep before I gave up.


I suspect that this type of attack is currently ongoing, underneath the obvious noise of the cruder tools.
yes. We started seeing it (moderate volume) in July of this year. By August it was equal to "regular" client traffic. By early-October is was kneecapping our mailservers.


Managing the "ignore" list started to become a full-time job, so we surrendered and started using an external blocking service. (see below) Before that we tried filtering at the router(s) and maintaining "ignore" lists on the servers, but it broke all sorts of things you *want* to have happen with secondary mail servers, especially the ones we have off-site.



The only solution I see for the service provider is to recommend their subscribers choose long, complicated usernames not likely to be found in a dictionary.
That doesn't do *anything* to stop the attack, it just hides the user from being harvested (easily.)

It managed to find a couple of my weird addresses though, so while you can run, you can't hide forever.

If anyone has better thoughts as to defense for the above scenario, I would love to hear it.
We have been offering Postini <http://www.postini.com> "spam & virus filtering" to our clients since May. They offer a service that detects, and blocks/ignores the originating harvest spambots. They call it "ActiveEMS"... we tried it on our own domain (one of the first targeted) and we saw it drop like a rock. So we made it "mandatory" for our clients now... they can opt-out of the filtering, but we still hide our mailservers behind theirs, even if our client opts out. That way, the client's *domain* stays protected, but they can read all the spams their hearts desire.

It *still* does some wonky stuff with secondaries, so I might have to buy (grumble) their services as secondary MX spooling.




I used to believe that running a catchall alias was an effective deterrent until the b*st*rds started sending complete spams and not just RCPT TO.
In fact, in this scenario the catch-all is like pouring gasoline on the fire without some giant water tank on the roof to... oh, wait... wrong thread. Sorry.

The only clients we haven't moved to Postini are those with "catch-all" addresses. Those break under Postini... well, they don't really "break" accept the bank, as clients get charged per-address. We are spreading clues as much as we can to discourage catch-alls. I hope to have all but the completely entrenched converted by year-end. Then we just have to wait until they get harvested... then they'll change their mind.

We have one client, who owns close to 50 domains... all with a catch-all going to his *one* address. He went from getting maybe 30 spams a week to several hundred a day... just because a single domain was harvested by these attacks.


The only alternative I see is a blacklist populated by some type of distributed detection system... if enough of us under attack contributed 550 unknown user logs, there should be an easily definable threshold for human error.
Interesting alternative... the hard part is making it work. How does it face the spambots, but still not refuse actual legit mail traffic coming into your primary MX? What is the threshold where it recognizes an attack from the normal traffic and start feeding the BS to the Bots?

I have about 4 gigs of 550 logs to contribute.


Mike
--
With all the spam I get, maybe mlewinski isn't such a bad idea for username after all.
heh.




Totally OT, but a nice bonus with Postini was re-acquainting myself with somebody I knew from a Network Manager's user group (ANMA) I was in back in the early 90's. The salesdroid at Postini introduced me to my "install engineer" and it was a guy who was the pres of the Bay Area chapter... when I was the pres of the Northwest one. We both had a good laugh. Small world.
--

Chuck Goolsbee V.P. Technical Operations
_________________________________________________________________
digital.forest Phone: +1-877-720-0483, x2001
where Internet solutions grow Int'l: +1-425-483-0483
19515 North Creek Parkway Fax: +1-425-482-6871
Suite 208 http://www.forest.net
Bothell, WA 98011 email: cg@forest.net




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.