[SAtalk] OT: Distributed Spamming Engine?

Bob Proulx Thu, 06 Nov 2003 03:17:20 -0800

A friend found an interesting occurance in his log files.  Looking
more closely we have found at least two cases of this.  Basically here
is the sequence at the end of this message.


In a nutshell a not too common address got hit from one IP address,
then a few seconds later from another IP address, then a few seconds
later from a third IP address.  The first two were blocked with a 550
because of RBL entries.  The third IP address was finally accepted.

This really makes it look like spammers are building distributed
spamming engines across multiple IP addresses.  If a site rejects one
IP address it appears to switch to an alternate source?  Perhaps this
is a coincidence but it seems too much to be purely random chance.

Any thoughts on this spammer tactic?

Bob

I abbreviated the mail logs for the first paragraph to try to make
them more readable.  But the original logs are the second paragraph
for the pedants.  (Yes, I obfuscated the addresses to example.com as
well to avoid getting more spam to the original.)  Note that this is
not my site and I am making no comments upon the choice of RBLs here.

Nov  4 00:58:15 connect from unknown[218.12.92.98]
Nov  4 00:58:20 reject: 550 Service unavailable; from=<[EMAIL PROTECTED]> to=<[EMAIL 
PROTECTED]>
Nov  4 00:58:21 lost connection after DATA from unknown[218.12.92.98]
Nov  4 00:58:24 connect from unknown[210.72.193.130]
Nov  4 00:58:32 reject: 550 Service unavailable; from=<[EMAIL PROTECTED]> to=<[EMAIL 
PROTECTED]>
Nov  4 00:58:33 lost connection after DATA from unknown[210.72.193.130]
Nov  4 00:58:34 connect from h24-71-131-211.ok.shawcable.net[24.71.131.211]
Nov  4 00:58:36 reject: 550 Service unavailable; from=<[EMAIL PROTECTED]> to=<[EMAIL 
PROTECTED]>
Nov  4 00:58:36 lost connection after DATA from 
h24-71-131-211.ok.shawcable.net[24.71.131.211]
Nov  4 00:58:38 connect from host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]
Nov  4 00:58:40 561B7171D2B: 
client=host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]
Nov  4 00:58:45 561B7171D2B: message-id=<[EMAIL PROTECTED]>
Nov  4 00:58:45 61B7171D2B: from=<[EMAIL PROTECTED]>, size=629, nrcpt=1 (queue active)
Nov  4 00:58:45 561B7171D2B: to=<[EMAIL PROTECTED]>, relay=local, delay=5, status=sent 
("|procmail -a "$EXTENSION"")
Nov  4 00:58:48 disconnect from host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]

The below is the originals, changed to nospam.example.com.

Nov  4 00:58:15 guinness postfix/smtpd[11117]: connect from unknown[218.12.92.98]
Nov  4 00:58:19 guinness postfix/smtpd[11117]: EBF86171D2B: 
client=unknown[218.12.92.98]
Nov  4 00:58:20 guinness postfix/smtpd[11117]: reject: RCPT from 
unknown[218.12.92.98]: 550 Service unavailable; [218.12.92.98] blocked using 
bl.spamcop.net, reason: Blocked - see http://www.spamcop.net/bl.shtml?218.12.92.98; 
from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]>
Nov  4 00:58:21 guinness postfix/smtpd[11117]: lost connection after DATA from 
unknown[218.12.92.98]
Nov  4 00:58:21 guinness postfix/smtpd[11117]: disconnect from unknown[218.12.92.98]
Nov  4 00:58:24 guinness postfix/smtpd[11117]: connect from unknown[210.72.193.130]
Nov  4 00:58:29 guinness postfix/smtpd[11117]: 550E1171D2B: 
client=unknown[210.72.193.130]
Nov  4 00:58:32 guinness postfix/smtpd[11117]: reject: RCPT from 
unknown[210.72.193.130]: 550 Service unavailable; [210.72.193.130] blocked using 
china.blackholes.us, reason: China blocked by china.blackholes.us; from=<[EMAIL 
PROTECTED]> to=<[EMAIL PROTECTED]>
Nov  4 00:58:33 guinness postfix/smtpd[11117]: lost connection after DATA from 
unknown[210.72.193.130]
Nov  4 00:58:33 guinness postfix/smtpd[11117]: disconnect from unknown[210.72.193.130]
Nov  4 00:58:34 guinness postfix/smtpd[11117]: connect from 
h24-71-131-211.ok.shawcable.net[24.71.131.211]
Nov  4 00:58:35 guinness postfix/smtpd[11117]: B9C4D171D2B: 
client=h24-71-131-211.ok.shawcable.net[24.71.131.211]
Nov  4 00:58:36 guinness postfix/smtpd[11117]: reject: RCPT from 
h24-71-131-211.ok.shawcable.net[24.71.131.211]: 550 Service unavailable; 
[24.71.131.211] blocked using list.dsbl.org, reason: 
http://dsbl.org/listing?ip=24.71.131.211; from=<[EMAIL PROTECTED]> to=<[EMAIL 
PROTECTED]>
Nov  4 00:58:36 guinness postfix/smtpd[11117]: lost connection after DATA from 
h24-71-131-211.ok.shawcable.net[24.71.131.211]
Nov  4 00:58:36 guinness postfix/smtpd[11117]: disconnect from 
h24-71-131-211.ok.shawcable.net[24.71.131.211]
Nov  4 00:58:38 guinness postfix/smtpd[11117]: connect from 
host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]
Nov  4 00:58:40 guinness postfix/smtpd[11117]: 561B7171D2B: 
client=host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]
Nov  4 00:58:45 guinness postfix/cleanup[11118]: 561B7171D2B: message-id=<[EMAIL 
PROTECTED]>
Nov  4 00:58:45 guinness postfix/qmgr[11004]: 561B7171D2B: from=<[EMAIL PROTECTED]>, 
size=629, nrcpt=1 (queue active)
Nov  4 00:58:45 guinness postfix/local[11119]: 561B7171D2B: to=<[EMAIL PROTECTED]>, 
relay=local, delay=5, status=sent ("|procmail -a "$EXTENSION"")
Nov  4 00:58:48 guinness postfix/smtpd[11117]: disconnect from 
host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] OT: Distributed Spamming Engine?

Reply via email to