[53675] in North American Network Operators' Group
Re: Weird distributed spam attack
daemon@ATHENA.MIT.EDU (Joe St Sauver)
Wed Nov 20 12:41:22 2002
Date: Wed, 20 Nov 2002 09:40:50 -0800 (PST)
From: Joe St Sauver <JOE@OREGON.UOREGON.EDU>
To: dru-nanog@redwoodsoft.com
Cc: nanog@merit.edu
X-VMS-To: IN%"dru-nanog@redwoodsoft.com"
Errors-To: owner-nanog-outgoing@merit.edu
Hi,
#Here is the kicker. I check where these are coming from, they
#are from all over the place. I check for IP address spoofing...
#not happening. No IP options or TCP options.
#
#This came from like about 300 different networks, and yes
#I don't accept source routing (IP Options).
In addition to thousands of open relays, which are bad enough in
their own right, there are also thousands of open proxy servers
which a growing number of spammers have been using to launch spam
runs lately. I suspect that's what you're seeing.
You can see some of the open proxy servers that we've seen traffic from at
http://darkwing.uoregon.edu/~joe/open-proxies-used-to-send-spam.html
If you aren't blocking traffic from open proxy servers via a dns
blacklist, I predict that you will definitely see increasingly
aggressive spam attacks coming in from diverse locations (although
the more you look at the problem, the easier it becomes to identify
the handful of carriers who are open proxy-tolerant).
[I will also say that it would really be great if mail-abuse.org would
add an open proxy listing project to complement their RSS, DUL, and
other initiatives.]
Regards,
Joe
