> Is there a legal investigation aiming to track the attackers down, > and can we expect publishing of the investigation results?
My hunch is: this is not worth the time, resources and in the end, money... Considering that many spammers nowadays operate with skills and resources of organized crime, you'd expect them to use 3rd party addresses (infected DSL links, relays, open socks proxies, etc) to hide their identities. > Is Cablecom the only target, or other ISPs experienced the same attacks? No, we've seen these for quite a while now. I've come up with a sendmail hack to dynamically filter these. I intend to make the code public, but only after a bit of cleanup. It's not perfect, but here's what we currently use: - there's a DB map written to by code I wedged into sendmail after the detection of "bad recipient" (there's code that allows for connection throttling in there already). Essentially, after a (pretty low..) number of bad recipients, the code enters the client IP into the DB map and kills the connection with a 421 error. It also adds a timeout timestamp so the entry can be automatically removed later, currently it's set to 24h. - at a different location, before forking a new child, a check is made in the DB whether there's an entry for the incoming IP and whether that entry has been expired in the meantime. If it has, it is removed. The reason for this was that I didn't want to have an external cronjob doing these tests. - sendmail.cf reads the same DB map and checks the client-IP in check_relay. If there's an entry, the connection is rejected. - since I now had the means to automatically add and remove entries, I also added the concept of a "spambait" mailer. If mail is delivered to this mailer (use whatever means you want in your configfile to accomplish that), a similar entry is made in the DB file to block the culprit IP address for 24h. - the entry-function currently has a hardwired white-list to avoid entering "important" mail servers into the DB. What I intend to change before public distribution of the code: - replace DB with MySQL, so the entries can be shared by multiple mail servers. - make everything configurable by sendmail macros which is currently hardwired The "collateral damage" of the solution is that customers who send mail via our servers, _and_ who have badly maintained mailing lists, are sometimes blocked out as well. Some people might actually call this a feature :) I currently have 2124 active (within 24h time span) automatically blocked IPs on this mail server. Cheers, Markus -- VIA NET.WORKS (Schweiz) AG Riedstrasse 1, CH-6343 Rotkreuz, Switzerland Telefon: +41 41 798 2121 / Fax: +41 41 798 2122 Markus Wild, Manager Engineering, e-mail: [EMAIL PROTECTED] ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
