[Mimedefang] Strange activity

[John Scully]

I have seen this on occasion.  It appears to be a bad spam-bot.  i.e. a
grooup of infected PCs supposed to be blasting you with spam were
incorrectly programmed/instructed and are instead doing what you described.

My evidence of this is that we track spam by source IP in real time,
tracking average spam score, number of good vs bad recipients etc, and block
the sending IPs in ip-tables in real time so they can not even connect.  if
an IP has never sent legitimate mail it gets blocked after only the fourth
bad recipient for a short time, then longer, longer etc, until we are
blocking them for days at a time.

On any given day I see 10,000 to 15,000 IPs being involved in dictionary
style attacks against us (we now have over 2,000 mail domains, so we are a
big target).  When I see the DOS style events you described it is the same
sets of IPs, and I usually see real spam start coming from them after a
while.

John
----- Original Message ----- 
From: "David F. Skoll" <dfs at roaringpenguin.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Wednesday, January 04, 2006 3:31 PM
Subject: {SPAM} [Mimedefang] Strange activity


>
> Has anyone noticed some strange activity lately?  Specifically, one of our
> customers has been hit by hundreds or thousands of machines that open SMTP
> connections to his boxes and then just sit there, leaving the connection
> idle.  This wreaks havoc by creating tons and tons of Sendmail processes.
>
> We fixed it by setting confTO_COMMAND to 3 minutes instead of the default
one
> hour; we're seeing about one connection every few seconds timing out (and
> new ones coming into the start of the pipe, of course.)  This is for a
> smallish ISP.
>
> I'm wondering if it's an attack specifically on our customer, or if
there's
> a DDoS botnet (or a buggy spam-sending botnet) around?
>
> Typical Sendmail log excerpt (trimmed somewhat):
>
> 15:27:32 k04KOVAD016073: timeout waiting for input from [200.193.225.54]
during server cmd read
> 15:27:35 k04KOXAD016096: timeout waiting for input from
adsl-153-140-231.cha.bellsouth.net during server cmd read
> 15:27:36 k04KOWAD016072: timeout waiting for input from
80.178.87.220.adsl.012.net.il during server cmd read
> 15:27:38 k04KOEAD015968: timeout waiting for input from
abfh249.neoplus.adsl.tpnet.pl during server cmd read
> 15:28:00 k04KOoAD016164: timeout waiting for input from [200.55.54.94]
during server cmd read
> 15:28:09 k04KP7AD016293: timeout waiting for input from
12-208-169-86.client.insightBB.com during server cmd read
> 15:28:13 k04KP5AD016263: timeout waiting for input from
213-238-114-168.adsl.inetia.pl during server cmd read
> 15:28:19 k04KPHAD016353: timeout waiting for input from
f151173.upc-f.chello.nl during server cmd read
> 15:28:31 k04KPSAD016412: timeout waiting for input from
82-46-163-134.stb.ubr02.chwo.blueyonder.co.uk during server cmd read
> 15:28:31 k04KPUAD016422: timeout waiting for input from
djz211.neoplus.adsl.tpnet.pl during server cmd read
> 15:28:35 k04KP1AD016270: timeout waiting for input from
200164210160.user.veloxzone.com.br during server cmd read
> 15:28:42 k04KPeAD016473: timeout waiting for input from
xdsl-2217.elblag.dialog.net.pl during server cmd read
> 15:28:57 k04KPnAD016543: timeout waiting for input from
80.178.139.180.adsl.012.net.il during server cmd read
> 15:29:24 k04KQHAD016773: timeout waiting for input from
80.178.139.180.adsl.012.net.il during server cmd read
> 15:29:45 k04KQiAD016923: timeout waiting for input from
20150212040.user.veloxzone.com.br during server cmd read
> 15:29:51 k04KQoAD016953: timeout waiting for input from
82-170-159-208.dsl.ip.tiscali.nl during server cmd read
>
> Regards,
>
> David.
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
>
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>