[Mimedefang] Spammer zombie group behaviour
David F. Skoll
dfs at roaringpenguin.com
Thu Apr 22 15:07:45 EDT 2004
On Thu, 22 Apr 2004, Chris Myers wrote:
> There are groups of spam zombie systems THAT ARE COMMUNICATING
> WITH EACH OTHER to retry failed deliveries. If System A fails
> to deliver the message, then System B tries, and then System C
> tries, and so on.
I have observed this behavior also.
Some greylisted log entries, wrapped to fit and cut down a bit
Apr 22 14:56:37 www sendmail[17579]: i3MIuZPl017579:
from=<gulukota at t-online.de>, size=435, class=0, nrcpts=1,
relay=pool-141-157-217-101.ny325.east.verizon.net [141.157.217.101]
Apr 22 14:57:07 www sendmail[17598]: i3MIusPl017598:
from=<shaw at t-online.de>, size=429, class=0, nrcpts=1,
relay=243.new-york-21rh15-16rt.ny.dial-access.att.net [12.75.158.243]
Apr 22 14:57:12 www sendmail[17608]: i3MIvBPl017608:
from=<raj at t-online.de>, size=425, class=0, nrcpts=1,
relay=CPE00400556f177-CM0080378682ba.cpe.net.cable.rogers.com
[69.194.234.155]
It's pretty clear to me that all of those boxes (cable modem
and dial-up or DSL) are coordinating delivery attempts. Luckily,
greylisting is *very* effective, because the sender and IP address
are both changing.
Regards,
David.
More information about the MIMEDefang
mailing list