Hi Darryl- We've been going through the same thing since early January - although not to the extent you're seeing it. We get 350,000 to 650,000 a day for one domain. Exactly the same pattern, though. Widely distributed IP addresses that indicate that the sender controls zombies or has placed these addresses in a "million addresses" CD.
We have quarantined the recipient domain onto a standby server, and we are collecting log files to use as evidence. I am in the process of fine-tuning the message parsing software I wrote, and I am extracting linked domain names from about 5,000 sample messages now. Hopefully, we will find a common beneficiary and be able to go after him. I have found no good technical way to stop the attack. The positive side to this type of attack is that sending back a user-not-found error takes almost no bandwidth or server resources and prevents the actual message from being sent - all you get is a short SMTP dialog with the sender. Until you download some samples, then things really clog up. Contact me off-list if you want to share specifics. -Dave Doherty Skywaves, Inc. ----- Original Message ----- From: "Darryl Koster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 5:48 PM Subject: [Declude.JunkMail] 2,000,000 + emails today So I have received over 2,000,000 emails today for just one domain name, its been interesting and I have been trying to stop this myself and am having little or no luck at all figuring out what to do. After looking at the headers of the e-mails I have found that he/she/basturd has many many ip's (or spoofing of IP's) at their disposal. Any suggestions on what to do? Basically this person, nay jacka** is sending a dictionary/whatevertheywanttoputin to the company (particular domain). Frustrated Darryl Koster --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
