[Mimedefang] Re: Recent burst of greylist activity

[Jeremy Mates]

* David F. Skoll <dfs at roaringpenguin.com>
> It looks like a spammer has managed to take over a whole army of
> machines to do the dirty work.

Someone is already using such systems to launch DDoS attacks and malware
against Spamhaus and SPEWS, distribute spam, run websites, and other
criminal activity:

http://www.spamhaus.org/cyberattacks/index.html

> Some sample greylist hits from today (Date, Sender, Machine):

I think these are the "Organized Distributed Spammer Attack" (ODSA)
attack method mentioned by the Greylisting page[1]; I have seen several
of them in my RSS feed of greylist activity, along with "brusty" 1-hit
greylist activity. Two notable brusts from my tables attatched in the
"one-hits" file.

Sharing the 1-hit data might make sense, though there are *so* many
different insecure sources out there (my home firewall logged 25,000 odd
unique MS-RPC probe sources over the last year) that new attacks can be
lanuched from... maybe a "greylist 1-hit source RBL" to feed things like
spamassassin with for addresses X number of different sites list as
seeing 1-hit records from?

SMTP+SPF[2] should kill these random SMTP sources off, unless providers
list their hordes of insecure systems as outgoing mail hosts for the
domains in question.

[1] - http://projects.puremagic.com/greylisting/

[2] - http://spf.pobox.com/intro.html