[53667] in North American Network Operators' Group
Weird distributed spam attack
daemon@ATHENA.MIT.EDU (dru-nanog@redwoodsoft.com)
Tue Nov 19 21:43:48 2002
Date: Tue, 19 Nov 2002 18:42:54 -0800 (PST)
From: dru-nanog@redwoodsoft.com
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
Unless, I missed the posts about this,.. I just
(and still am experiencing) a distributed spam
attack.
I have a small machine at a colo. Today I check my
inbox and there are 2000+ extra messages to
a domain I have 'zbot.net'. The messages are doing
4 letter combinations for the recipient. (abde, abdf, etc.)
The from's are all mybestplacetoshop@ainet.us
I check my qmail queue -> its at 13405 messages.
I shut down mail and remove the email from the queue.
Here is the kicker. I check where these are coming from, they
are from all over the place. I check for IP address spoofing...
not happening. No IP options or TCP options.
This came from like about 300 different networks, and yes
I don't accept source routing (IP Options).
Anyways, it happened to my machine, I stopped accepting mail
to that domain from qmail-smtpd, so I'm back to normal.
If anyone want's a tcpdump of the connection attempts
or the emails. Let me know.
Dru Nelson
San Carlos, California
