Folks, I'm receiving about 25K spams per minute with this subject: Subject: "Looking for Sex Tonight? Curtis Blackman" They randomize the name on the subject line. Is this any particular virus/malware/zombie signature and any suggestion on how to defend against it besides what I'm already doing (which is all of the obvious, rbls, spam appliances, hot cocoa, etc.)? This happened right around the time I started securing the name server infrastructure with BIND upgrades and recursor/authoritative NS splitting. :-) Best, Marty
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
They randomize the name on the subject line. Is this any particular virus/malware/zombie signature and any suggestion on how to defend against it besides what I'm already doing (which is all of the obvious, rbls, spam appliances, hot cocoa, etc.)?
This happened right around the time I started securing the name server infrastructure with BIND upgrades and recursor/authoritative NS splitting. :-)
RBLs are only effective against perhaps 50% of spam traffic, because so much of it comes from never-seen-before zombies. What appliances are you running? You might want to look at some kind of edge email traffic shaping layer. Regards, Ken - -- Ken Simpson CEO, MailChannels Fax: +1 604 677 6320 Web: http://mailchannels.com MailChannels - Reliable Email Delivery (tm) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG/EGb2YHPr/ypq5QRAuKNAKCYqf7uVoJmSAdKSSFH1NOTsLsZ6gCgk1Id 7+dI9UOemZtgqAI5pM+LwY4= =V0fG -----END PGP SIGNATURE-----
On Sep 28, 2007, at 6:49 AM, Ken Simpson wrote:
You might want to look at some kind of edge email traffic shaping layer.
So that 'Curtis Blackman' is the only one getting SMTP through to Martin and his customers? ;> Assuming nothing in the header which could be blocked by S/RTBH or ACLs (or a QoS policy), some of the various DDoS scrubbers available from different vendors may be able to deal with this via the anomalous TCP rates associated with these streams of spam, and/or regexp. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice I don't sound like nobody. -- Elvis Presley
On Thu, 27 Sep 2007, Ken Simpson wrote:
RBLs are only effective against perhaps 50% of spam traffic, because so much of it comes from never-seen-before zombies.
I'm seeing 80%-90% of spam blocked by the Spamhaus ZEN list, which includes the PBL for blocking home computers, infected or not. Tony. -- f.a.n.finch <dot@dotat.at> http://dotat.at/ IRISH SEA: SOUTHERLY, BACKING NORTHEASTERLY FOR A TIME, 3 OR 4. SLIGHT OR MODERATE. SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
RBLs are only effective against perhaps 50% of spam traffic, because so much of it comes from never-seen-before zombies.
I'm seeing 80%-90% of spam blocked by the Spamhaus ZEN list, which includes the PBL for blocking home computers, infected or not.
Sorry, should have added, "Your Results May Vary" :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG/Uev2YHPr/ypq5QRAmX4AJ0bQA3KScyMBLjwWzhnZq5nFlGj3wCfR7nc JO5q/i7gJTHK1N3Izfvlp8I= =C8VF -----END PGP SIGNATURE-----
Did you check the source IP in the headers? My logs show that they are coming from a buncha residential IP addresses so its prolly a bot network doing it. Most of the messages going through our servers with that have the domain lifeleaksfromyo.com in it which is causing the messages to fail in our servers. You can always try the rbl that lists a lot of residential IP's in it...i think it's the PBL from spamhaus. That would help limit it, and blocking emails with the domain lifeleaksfromyo.com.... Other then that I'm out of ideas. What spam appliance are you using? Raymond Corbin HostMySite.com 877.215.4678 -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Martin Hannigan Sent: Thursday, September 27, 2007 7:32 PM To: nanog@merit.edu Subject: DDoS Question Folks, I'm receiving about 25K spams per minute with this subject: Subject: "Looking for Sex Tonight? Curtis Blackman" They randomize the name on the subject line. Is this any particular virus/malware/zombie signature and any suggestion on how to defend against it besides what I'm already doing (which is all of the obvious, rbls, spam appliances, hot cocoa, etc.)? This happened right around the time I started securing the name server infrastructure with BIND upgrades and recursor/authoritative NS splitting. :-) Best, Marty
On 9/27/07, Raymond L. Corbin <rcorbin@hostmysite.com> wrote:
Did you check the source IP in the headers? My logs show that they are coming from a buncha residential IP addresses so its prolly a bot network doing it. Most of the messages going through our servers with that have the domain lifeleaksfromyo.com in it which is causing the messages to fail in our servers. You can always try the rbl that lists a lot of residential IP's in it...i think it's the PBL from spamhaus. That would help limit it, and blocking emails with the domain lifeleaksfromyo.com.... Other then that I'm out of ideas. What spam appliance are you using?
Raymond, all: Thanks for all the responses, public and private. I did, and am, watching the sources. It's uninteresting in terms of capability to act since it's spread out pretty widely and it's obviously difficult to tell what will and will not cause collateral damage. I'll capture some source traffic and put it out on the web for all the researches that replied looking for sample data. I think I can probably pcap something that won't violate any privacy laws where this is. In the meantime, here's some sources that are in the top tier of connections: 3215 | 86.195.231.168 | AS3215 France Telecom - Orange 3269 | 87.19.141.208 | ASN-IBSNAZ TELECOM ITALIA 3320 | 84.148.13.150 | DTAG Deutsche Telekom AG 3320 | 84.148.13.150 | DTAG Deutsche Telekom AG 3320 | 84.148.13.150 | DTAG Deutsche Telekom AG 3320 | 84.148.13.150 | DTAG Deutsche Telekom AG 6746 | 89.136.159.120 | ASTRAL ASTRAL Telecom SA, Romania 7132 | 67.120.22.10 | SBIS-AS - AT&T Internet Services 9121 | 78.180.16.161 | TTNET TTnet Autonomous System 9121 | 85.108.127.90 | TTNET TTnet Autonomous System 9121 | 85.108.127.90 | TTNET TTnet Autonomous System 9121 | 85.108.127.90 | TTNET TTnet Autonomous System 10796 | 71.79.216.254 | SCRR-10796 - Road Runner HoldCo LLC 10796 | 71.79.216.254 | SCRR-10796 - Road Runner HoldCo LLC 19262 | 71.254.34.123 | VZGNI-TRANSIT - Verizon Internet Services Inc. 22773 | 64.58.163.237 | CCINET-2 - Cox Communications Inc. 25041 | 91.125.42.251 | BRIGHTVIEW-UK-AS Brightview Internet Services AS 35911 | 24.212.10.244 | BNQ-1 - Telebec 35911 | 24.212.10.244 | BNQ-1 - Telebec
Raymond L. Corbin wrote:
messages to fail in our servers. You can always try the rbl that lists a lot of residential IP's in it...i think it's the PBL from spamhaus. That would help limit it, and blocking emails with the domain
You'd have better luck with SORBS DUHL if you don't want to pay for Spamhaus data. (a peak of 192 messages/minute and an average of 4 messages per minute were considered excessive enough for my DSL's to be blocked by Spamhaus). I would also suggest NJABL as it used to list dynamics, except it is not listing just dynamics now, and it has merged into Spamhaus as the PBL. Of course Trend are now running what was MAPS, which is another pay for service which is also useful. Regards, Mat
On Thu, 27 Sep 2007, Martin Hannigan wrote:
They randomize the name on the subject line. Is this any particular virus/malware/zombie signature
Nothing particularly new. The Bots have been pumping this one out for at least a month, although the subject line has a few variations besides just changing the name. I guess they just finally got around to you.
and any suggestion on how to defend against it besides what I'm already doing (which is all of the obvious, rbls, spam appliances, hot cocoa, etc.)?
See all the previous mail threads about ISPs not doing anything :-) Stop the bots on your networks; work with people to stop the bots on other networks; work with law enforcement to put the criminals in prison. In the mean time, continue to spend on resources to mail servers, security appliances, and more blacklists.
participants (7)
-
Ken Simpson
-
Martin Hannigan
-
Matthew Sullivan
-
Raymond L. Corbin
-
Roland Dobbins
-
Sean Donelan
-
Tony Finch