Re: [IMail Forum] Dictionary attacks and TCP Probes?

[Matt]

Len Conrad wrote: My position that they aren't trying to discover your existing addresses for harvesting to a spammers database, but just to get ANY mail delivered to your domain. I'm quite sure that these are not specifically 'dictionary attacks', but instead, just simply spam floods.  These guys will attack a gateway for an indefinite period of time with their army of bots regardless of whether or not the gateway accepts all addresses to a particular domain, or none.  For a dictionary attack to expose the addresses, it needs to have rejections, and with none, the dictionary attack is pointless. The spammers doing this, limited to just two people/groups that send more than about 200 addresses (more like 100,000+ addresses), have large armies of bots numbering in the tens of thousands.  They will hit a server with a single IP for only about 30 seconds before switching to a new bot and continuing the attack. Because keeping track of this data is difficult in such a distributed environment, and because they don't stop attacking, but instead recycle through the list of addresses, it's my belief that these attacks have more to do with the following: 1) Using NDR's for relaying spam content.  The From domains change as frequently as the IP addresses, so if content is being bounced, it will be bounced to thousands of domains.  Some From addresses are being randomized, but others are using real addresses forged to the spam.  They also have a preference not to attack the highest MX priority, probably because lower MX priorities (higher numbers) are more likely to not do address validation, and therefore result in a bounce when the message gets relayed to the primary server. 2) These guys doing this have so many bots at their disposal that they don't really care if they pound a server to death that only has 1 address.  I've definitely noticed the number of my domains that are subject to this sort of attack has been growing steadily. 3) The guys doing this are psychopaths and causing damage to servers and wasting the time of administrations while sending content that disturbs most every recipient gives them a sense of achievement.  This is much the same mindset as that perceived being possessed by many virus writers. Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================