Re: slightly OT: sudden rise in Rumplestiltskin attacks?

26 Oct 2004 15:39:43 -0000

We got slammed with a whole series of dictionary attacks in June (as many as 500k per day against a variety of domains). And, yes, it brought SA to it's knees. Prior to the flood, we had always configured our customer's domains such that [EMAIL PROTECTED] was delivered to the customer's default address. This worked very well for the past 9 years; but we had to stop.

Pierre Thomson wrote: 
One of our relays got 8500 name-guessing spams yesterday, up from an average of 2500 per 
day last week.  So far today we have seen 6600, and the day isn't half over.  If our MTA 
weren't checking recipients against our userlist, SA would be struggling to process these 
sudden "blasts" of spam.

The sending relays seem to be predominantly in Europe, and often make about a 
dozen tries in rapid succession.  Here are the relays that sent name-guessing 
spams in a 2-minute period in the last hour:

dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
[EMAIL PROTECTED] [62.64.219.183]
omr-m01.mx.aol.com [64.12.138.1]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
[EMAIL PROTECTED]
mailout08.sul.t-online.com [194.25.134.20]
omr-m03.mx.aol.com [64.12.138.3]
rega.bezeqint.net [192.115.104.10]
seaattsmtp.avanade.com [12.129.10.40]
mailout04.sul.t-online.com [194.25.134.18]
mail.f-tech.net [65.161.2.16]
[219.128.36.245]
[219.128.36.245]
[210.206.241.100]
[EMAIL PROTECTED] [82.103.206.234]
[EMAIL PROTECTED] [82.103.206.234]
[EMAIL PROTECTED] [82.103.206.234]
[EMAIL PROTECTED] [82.103.206.234]
[EMAIL PROTECTED] [82.103.206.234]
[EMAIL PROTECTED] [82.103.206.234]
[EMAIL PROTECTED] [82.103.206.234]
[EMAIL PROTECTED] [82.103.206.234]
[EMAIL PROTECTED] [82.103.206.234]
[EMAIL PROTECTED] [82.103.206.234]
[EMAIL PROTECTED] [82.103.206.234]
rh9150195.aspadmin.net [216.98.150.195]
mailout09.sul.t-online.com [194.25.134.84]
[219.128.36.245]
[219.128.36.245]
[219.128.36.245]
[219.128.36.245]
omr-m13.mx.aol.com [64.12.136.11]
[EMAIL PROTECTED] [80.140.55.203]
[EMAIL PROTECTED] [80.140.55.203]
[EMAIL PROTECTED] [80.140.55.203]
[EMAIL PROTECTED] [80.140.55.203]
[EMAIL PROTECTED] [80.140.55.203]
[EMAIL PROTECTED] [80.140.55.203]
[EMAIL PROTECTED] [80.140.55.203]
[EMAIL PROTECTED] [80.140.55.203]
[EMAIL PROTECTED] [80.140.55.203]
[EMAIL PROTECTED] [80.140.55.203]
[EMAIL PROTECTED] [80.140.55.203]

Are others seeing this?  Any plausible explanation?

Pierre Thomson
BIC

Reply via email to