[Mimedefang] Weekend Spam Floods ? What to do ?:(

Dave Shepherd Dave.Shepherd at vixel.com
Mon Sep 30 12:38:01 EDT 2002 

I've been running Sendmail.8.12.6 with RBL using mail-abuse RBL-Plus &
Spamcops
combined with Spamassassin 2.41 and Mimedefang 2.21 and have enabled
logging for 
both accepted (tagged) spam and rejected spam and I've noticed a very
big spam 
problem.

Increasely over the past two months, every Friday / Saturday /Sunday I
log thousands 
of messages in my accepted.log of what appears to be an all out spam
attact.

Following is one example of many of these attacks - every week is
different !!

In this example, this is the same message coming from many different IP
addresses 
(open relays) with different To: & From: fields and sometimes the
Subject: is slightly modified.

The body of theses messages are short (low SA score) with usually a link
to html page 
somewhere. For example - this email contains a link to
http://www.234sj.com/directmeds/5052/

The From: address is always a fake and most the time the To: field is
not a valid user
within my domain. At one point this weekend I had 1800+ spam messages in
/var/spool/mqueue 
trying to return mail to user at ibm.com as undeliverable. And ibm refusing
delivery as "user known"
for the return address.

The spammers must be searching of open-relays all week to exploit for
the weekend attacks.
When a system get on an RBL list they quickly move to another open-relay
that is unlisted.

Because the From: field is always faked differently - blacklist_from is
useless :( 
And because the messages have slightly modified headers I supect that
Razor Checking
will not be much good.

I'm thinking of building a spam counter into MD that traps the $Subject
and counts the
number of times the messages is sent and auto-blacklisting based on the
count > 50

Does anybody else have any ideas that I might consider ????

Dave S.

a short part of my spam accepted.log
**********************************************
Sun Sep 29 02:42:47 2002
66.162.96.42    66.162.96.42
To: spowell at vixel.com
From: tdphgtuvd at aol.com
Subject: Quick and convenient online prescriptions
Hits: 7.3
BASE64_ENC_TEXT,CARRIAGE_RETURNS,CTYPE_JUST_HTML,REMOVE_PAGE,SPAM_PHRASE_05_08
**********************************************
Sun Sep 29 02:43:11 2002
adsl-065-081-092-098.sip.gsp.bellsouth.net      65.81.92.98
To: nb2 at vixel.com
From: uxyrgrw at aol.com
Subject: Quick and convenient online prescriptions
Hits: 7.3
BASE64_ENC_TEXT,CARRIAGE_RETURNS,CTYPE_JUST_HTML,REMOVE_PAGE,SPAM_PHRASE_05_08
**********************************************
Sun Sep 29 02:43:12 2002
dial-65-113-73-222.irtc.net     65.113.73.222
To: mstanley at vixel.com
From: ucysd at aol.com
Subject: Quick and convenient online prescriptions
Hits: 7.3
BASE64_ENC_TEXT,CARRIAGE_RETURNS,CTYPE_JUST_HTML,REMOVE_PAGE,SPAM_PHRASE_05_08
**********************************************
Sun Sep 29 02:43:17 2002
w098.z067104190.bna-tn.dsl.cnc.net      67.104.190.98
To: ewf at vixel.com
From: pxiqenn at yahoo.com
Subject: Quick and convenient online prescriptions
Hits: 8.7
BASE64_ENC_TEXT,CARRIAGE_RETURNS,CTYPE_JUST_HTML,FORGED_YAHOO_RCVD,REMOVE_PAGE,SPAM_PHRASE_05_08
**********************************************

Sunday morning I edit mimedefang-filter and perform a $Subject 
line match on /Quick and convenient online/
to Reject further messages and log to rejected.log 

rejected.log
**********************************************
Sun Sep 29 07:49:50 2002
dial-65-113-73-222.irtc.net     65.113.73.222
To: thadeus at vixel.com
From: gqmrormmt at ibm.com
Subject: Quick and convenient online prescriptions
Hits: 100 MD subject line match
**********************************************
Sun Sep 29 07:54:07 2002
66-128-171-16.du.sdnet.net      66.128.171.16
To: creston at vixel.com
From: vhkfjt at msn.com
Subject: Quick and convenient online prescriptions
Hits: 100 MD subject line match
**********************************************
Sun Sep 29 17:32:45 2002
h-66-134-237-214.LSANCA54.covad.net     66.134.237.214
To: garway at vixel.com
From: csnwhorib at yahoo.com
Subject: Quick and convenient online prescriptions
Hits: 100 MD subject line match
**********************************************
Sun Sep 29 17:33:25 2002
64-238-230-162.arpa.kmcmail.net 64.238.230.162
To: dbook at vixel.com
From: vsnqht at ibm.com
Subject: Quick and convenient online prescriptions
Hits: 100 MD subject line match
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Dave.Shepherd.vcf
Type: text/x-vcard
Size: 327 bytes
Desc: Card for Dave Shepherd
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20020930/0da30b05/attachment.vcf>

More information about the MIMEDefang mailing list