Re: [Declude.JunkMail] Distributed Dictionary Attack

[Matt]

Dave, I've noticed that on my box with only about 60 domains, there's several distributed dictionary attacks every day.  They seem to be controlled from a central location because the order is roughly the same across the different IP addresses they use.  Mine have been spaced out and fairly low in volume, and I've seen them do this to domains with only one account.  These attacks use mostly real names, although the Joe-Jobs using our domains and directed at large ISP's seemingly use more of a hacking sort of attack, trying every combination and lasting for weeks at times.  I've found that many of these attacks originate from North Korea and China, and there's a good chance that there's someone on this side of the Ocean that is typing in the commands.  #1 ROKSO spammer Alan Ralsky seems to be Asia's largest spam customer, and he enables a lot of this stuff.  I wouldn't be surprised if someone connected to him was responsible for the viruses that have been used to create spam zombies.  He certainly profits from the use of these machines.  This is also the guy that has involvement in the recent Habeas spoofing for that drug site (the payload was hosted on his IP space in China). This stuff either comes from zombies controlled by IP's in unfriendly countries, or it comes from unfriendly countries.  Good luck serving a warrant.  It might be a better idea to look at the payloads and figure out what the connections are.  SBL probably tracks much of that stuff if you simply resolve the domain name to an IP address and look for patterns. BTW, was this a large domain that's being attacked, or do these guys just simply stupid abusive idiots (as opposed to smart abusive idiots I guess)? Matt Dave Doherty wrote: Hi, everyone-   I've seen dictionary attacks before, but this one is impressive!   I have a customer who has eight email addresses and some aliases on his single domain. We have an ongoing problem with a distributed dictionary attack again this domain, and I'm talking a serious attack here - over half a million messages a day for the last week, seemingly originating from more than 10,000 IP addresses.   The content is random everyday spams, with nothing in particular in common. Of course, there are many dupes, but I can find nothing that looks like a common source for this. Most of the "to" addresses are or could be names, apparently not random sequences of letters and numbers. Examples - aaronj, aaronp, aaronv, ctuck, ctucker, ctuna, etc.   I have placed this domain on a dedicated box that is handling it just fine by rejecting the messages with invalid user errors, and I wrote a quick little utility that parses the logs into SQL Server and tells me how many of these we're getting and where they seem to be coming from. As of 4PM today: 275,000 messages to 42,000 addresses at this domain, from 14,000 IPs.   I've been blocking the worst offenders in the system before they get to the mail server, but it's hardly making a dent since the worst offender in yesterday's log sent about 5,000 messages, and the top ten combined sent only about 25,000.   My hope is that we will figure out a common source that is spoofing all these IPs. So, how can I tell when an IP address has been spoofed? Will a packet sniffer reveal that? And will blocking the "real" IP as opposed to the "spoofed" IP work?   All suggestions are greatly appreciated. I understand that we all have secret stuff we do to protect our systems, so feel free to contact me off-list at [EMAIL PROTECTED] if you think that is more appropriate.   And my thanks to Scott Perry and Pete McNeil, who have been very helpful in combatting this already.   Thanks!   Dave Doherty Skywaves, Inc. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================