Raimo Niskanen <[EMAIL PROTECTED]> writes:
> Apparently we (our mail server) got targeted by a zombie network
> since suddenly there were some 30000 hosts on spamd's whitelist,
> continously some 600 connections to spamd, and only mails to
> unknown users coming in. The network connection was flooded,
> the web server sluggish, downloads creeped, basically
> nothing worked.
To me this sounds very much like when we got hit by serious amounts of
backscatter. That is, the messages we kept seeing was bounces for
spam messages intended for non-existent users elsewhere, so the server
at the other end was likely a real one, only with deficient spam
countermeasures.
I think anyway you want to do some greytrapping, either the empirical
approach[1] or Bob Beck's Greyscanner script[2], depending on how much
you crave 'getting a feel for the data'. They keep trying, but they
really don't bother us much anymore, and the addresses I've collected
at [3] keep turning up in my spamd logs.
Anyway, this is not in any way cruel. This is not cute little furry
animals we're talking about, but humans, grownups who should know better.
The fact that they're bouncing spam back means that they were probably
about to deliver spam to their existing users too, and that is for the
most part avoidable.
[1] see my ramblings about the fun to be had with greytrapping starting at
http://bsdly.blogspot.com/2007/07/hey-spammer-heres-list-for-you.html
- also the subject of an upcoming BSD Magazine article
[2] http://www.ualberta.ca/~beck/nycbug06/scripts/greyscanner.41
[3] http://www.bsdly.net/~peter/traplist.shtml
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
