I've seen dictionary attacks before, but this one is impressive!
I have a customer who has eight email addresses and some aliases on his single domain. We have an ongoing problem with a distributed dictionary attack again this domain, and I'm talking a serious attack here - over half a million messages a day for the last week, seemingly originating from more than 10,000 IP addresses.
Another possibility is that this isn't a dictionary attack -- but instead, the "nobody" alias was enabled in the past at a time that a dictionary attack occurred, and the spammer was dumb (surprise!) and thought that all the addresses existed. If that is the case, now they are just sending spam to the addresses they think are valid. It would also account for the huge number of IPs sending the spam -- it is quite common for the organized spammers to do that.
My hope is that we will figure out a common source that is spoofing all these IPs. So, how can I tell when an IP address has been spoofed? Will a packet sniffer reveal that? And will blocking the "real" IP as opposed to the "spoofed" IP work?
It would be nice if it were that easy. Unfortunately (fortunately?), spoofed IPs are extremely rare. What that means is that these are probably compromised servers sending the spam, and therefore they have the spammer's program on them. The spammer doesn't want you knowing his IP, so it isn't available anywhere.
What surprises me is that law enforcement agencies haven't gone after perhaps a few dozen compromised servers, run a packet sniffer, and checked to see what IP(s) are controlling the compromised servers.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
