[Mimedefang] Spammer zombie group behaviour
Chris Myers
chris at by-design.net
Thu Apr 22 14:57:54 EDT 2004
I recently turned on greylisting on a new MIMEDefang box and was shocked
when I ran the stats a few days later. The system had consistently been
handling about 7000 messages per day before greylisting was turned on.
After greylisting turned on, it was handling about 20,000 messages per day!
The amount of non-spam didn't change (2000/day), and the spam messages were
NOT being retried enough to account for a tripling of volume.
I've been scratching my head, trying to figure out how to explain the
massive jump in spam volume to a regular non-guru user. While working on my
explanation, I spent a lot of time digging through the logs and found
something rather "interesting". My conclusion is fairly straightforward,
and seems logical:
There are groups of spam zombie systems THAT ARE COMMUNICATING
WITH EACH OTHER to retry failed deliveries. If System A fails to
deliver
the message, then System B tries, and then System C tries, and so on.
This
may be an attempt to get around DNS blacklists.
"That's Scary! Why Do You Think That?"
I've got the system doing greylisting after the DATA phase of a message, so
the message subject is available and I'm currently logging it just because
it's there. When I go through those logs, I keep seeing a difference in the
pre-greylisting/post-greylisting behaviour that really stands out:
Over the course of several minutes, I'll see multiple systems try to
deliver
spam messages with very similar subjects. The subjects tend to a a bit
different, but cover the same topic... so it's probably a hash-busting
attack.
Timestamp Disposition Relay IP
Subject
2004-04-21 01:20:34 greylisted 69.158.97.248 vicodin pain
killers now online
2004-04-21 01:20:39 greylisted 219.159.216.121 v.icodin pain
killers now online
2004-04-21 01:20:57 greylisted 82.217.160.121 Wholesale Prices
on Vicodin
2004-04-21 01:21:04 greylisted 211.209.172.85 Purchase V.icodin
Online Easily Today
and
Timestamp Disposition Relay IP Subject
2004-04-21 16:05:52 greylisted 63.203.78.0 Lust
2004-04-21 16:06:14 greylisted 139.55.57.199 Lust
The number of systems in a group varies, I've seen as many as 14 that may be
related. The Message-ID of these messages is always in the same format (12
hex digits, "$", 8 hex digits, "$", 8 hex digits "@" DNS name of sending
host), supporting my conclusion that the systems are related.
Greylisting is currently effective against these folks, since they try once
per system. However, it's pretty clear that greylisting is also actually
increasing the amount of bandwidth consumed by spammers since each "message"
is now being transmitted multiple times. That wouldn't be a problem with
greylisting after the RCPT TO command, but too many folks use nasty Novell
Groupwise for me to get away with that.
I don't have a way to get my hands on one of the compromised systems, so I
don't know how they're communicating (I can speculate of course...), but it
seems pretty clear to me that they ARE communicating. All of this is
predictable, in fashion, we all know that attacks of all kinds are getting
more sophisticated, but it's still scary to think that the spammers now have
delivery engines that do operate as a coordinated, organized group.
"So What's Your Point?"
Well, at this time I just want to see if anyone else has observed this
behaviour. It leads to all sorts of questions about what the next step in
the spam war is going to be, since we're seeing some of the enemy's more
advanced tactics.
I've never seen anyone else mention seeing this, so I'm wondering IF anyone
else HAS seen this. It can easily enough be buried in a huge mass of data
and dismissed as "an increase in the volume of spam". I never would have
noticed it myself if I didn't see the before-and-after numbers with
greylisting on a box and feel a need to explain them!
Chris Myers
Networks By Design
More information about the MIMEDefang
mailing list