[Declude.JunkMail] Distributed Dictionary Attack

[Dave Doherty]

Hi, everyone-   I've seen dictionary attacks before, but this one is impressive!   I have a customer who has eight email addresses and some aliases on his single domain. We have an ongoing problem with a distributed dictionary attack again this domain, and I'm talking a serious attack here - over half a million messages a day for the last week, seemingly originating from more than 10,000 IP addresses.   The content is random everyday spams, with nothing in particular in common. Of course, there are many dupes, but I can find nothing that looks like a common source for this. Most of the "to" addresses are or could be names, apparently not random sequences of letters and numbers. Examples - aaronj, aaronp, aaronv, ctuck, ctucker, ctuna, etc.   I have placed this domain on a dedicated box that is handling it just fine by rejecting the messages with invalid user errors, and I wrote a quick little utility that parses the logs into SQL Server and tells me how many of these we're getting and where they seem to be coming from. As of 4PM today: 275,000 messages to 42,000 addresses at this domain, from 14,000 IPs.   I've been blocking the worst offenders in the system before they get to the mail server, but it's hardly making a dent since the worst offender in yesterday's log sent about 5,000 messages, and the top ten combined sent only about 25,000.   My hope is that we will figure out a common source that is spoofing all these IPs. So, how can I tell when an IP address has been spoofed? Will a packet sniffer reveal that? And will blocking the "real" IP as opposed to the "spoofed" IP work?   All suggestions are greatly appreciated. I understand that we all have secret stuff we do to protect our systems, so feel free to contact me off-list at [EMAIL PROTECTED] if you think that is more appropriate.   And my thanks to Scott Perry and Pete McNeil, who have been very helpful in combatting this already.   Thanks!   Dave Doherty Skywaves, Inc.