[53669] in North American Network Operators' Group
Re: Weird distributed spam attack
daemon@ATHENA.MIT.EDU (Mike Lewinski)
Wed Nov 20 03:12:35 2002
Date: Wed, 20 Nov 2002 01:11:38 -0700
From: Mike Lewinski <mike@rockynet.com>
To: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.40.0211191840510.12030-100000@pacman.redwoodsoft.com>
Errors-To: owner-nanog-outgoing@merit.edu
dru-nanog@redwoodsoft.com wrote:
>
> Unless, I missed the posts about this,.. I just
> (and still am experiencing) a distributed spam
> attack.
We get these almost continually.... it is incredibly depressing to look
at the logs. Backup-only MX here see upwards of 10K messages on bad
days, mostly attacks of that type.
Some of the domains chosen for the attack are ridiculous (are 4 valid
addresses really worth that effort?).
I have come to the conclusion that distributed dictionary attacks will
eventually get the goods. Sure you can reject by pattern match on
ainet.us for this case, but that's not going to help when someone with a
large network of spambots sets up a job that:
1) uses completely random from addresses, subject lines and message content
2) uses an attack algorithm to distribute the load so you only see any
given source IP every other day
I suspect that this type of attack is currently ongoing, underneath the
obvious noise of the cruder tools. The only solution I see for the
service provider is to recommend their subscribers choose long,
complicated usernames not likely to be found in a dictionary.
If anyone has better thoughts as to defense for the above scenario, I
would love to hear it. I used to believe that running a catchall alias
was an effective deterrent until the b*st*rds started sending complete
spams and not just RCPT TO. The only alternative I see is a blacklist
populated by some type of distributed detection system... if enough of
us under attack contributed 550 unknown user logs, there should be an
easily definable threshold for human error.
Mike
--
With all the spam I get, maybe mlewinski isn't such a bad idea for
username after all.
