Re: [SAtalk] OT: Distributed Spamming Engine?

Justin Mason Thu, 06 Nov 2003 14:55:27 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Bob Proulx writes:
>A friend found an interesting occurance in his log files.  Looking
>more closely we have found at least two cases of this.  Basically here
>is the sequence at the end of this message.
>
>In a nutshell a not too common address got hit from one IP address,
>then a few seconds later from another IP address, then a few seconds
>later from a third IP address.  The first two were blocked with a 550
>because of RBL entries.  The third IP address was finally accepted.
>
>This really makes it look like spammers are building distributed
>spamming engines across multiple IP addresses.  If a site rejects one
>IP address it appears to switch to an alternate source?  Perhaps this
>is a coincidence but it seems too much to be purely random chance.

No, your interpretation seems likely; the spamware engine is using
multiple proxies, and switching between them on a 550.

A good argument for accepting all mail at the SMTP stage, then tagging
or diverting them internally.

- --j.

>Any thoughts on this spammer tactic?
>
>Bob
>
>I abbreviated the mail logs for the first paragraph to try to make
>them more readable.  But the original logs are the second paragraph
>for the pedants.  (Yes, I obfuscated the addresses to example.com as
>well to avoid getting more spam to the original.)  Note that this is
>not my site and I am making no comments upon the choice of RBLs here.
>
>Nov  4 00:58:15 connect from unknown[218.12.92.98]
>Nov  4 00:58:20 reject: 550 Service unavailable; from=<[EMAIL PROTECTED]> to=<[EMAIL 
>PROTECTED]>
>Nov  4 00:58:21 lost connection after DATA from unknown[218.12.92.98]
>Nov  4 00:58:24 connect from unknown[210.72.193.130]
>Nov  4 00:58:32 reject: 550 Service unavailable; from=<[EMAIL PROTECTED]> to=<[EMAIL 
>PROTECTED]>
>Nov  4 00:58:33 lost connection after DATA from unknown[210.72.193.130]
>Nov  4 00:58:34 connect from h24-71-131-211.ok.shawcable.net[24.71.131.211]
>Nov  4 00:58:36 reject: 550 Service unavailable; from=<[EMAIL PROTECTED]> to=<[EMAIL 
>PROTECTED]>
>Nov  4 00:58:36 lost connection after DATA from 
>h24-71-131-211.ok.shawcable.net[24.71.131.211]
>Nov  4 00:58:38 connect from host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]
>Nov  4 00:58:40 561B7171D2B: 
>client=host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]
>Nov  4 00:58:45 561B7171D2B: message-id=<[EMAIL PROTECTED]>
>Nov  4 00:58:45 61B7171D2B: from=<[EMAIL PROTECTED]>, size=629, nrcpt=1 (queue active)
>Nov  4 00:58:45 561B7171D2B: to=<[EMAIL PROTECTED]>, relay=local, delay=5, 
>status=sent ("|procmail -a "$EXTENSION"")
>Nov  4 00:58:48 disconnect from host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]
>
>The below is the originals, changed to nospam.example.com.
>
>Nov  4 00:58:15 guinness postfix/smtpd[11117]: connect from unknown[218.12.92.98]
>Nov  4 00:58:19 guinness postfix/smtpd[11117]: EBF86171D2B: 
>client=unknown[218.12.92.98]
>Nov  4 00:58:20 guinness postfix/smtpd[11117]: reject: RCPT from 
>unknown[218.12.92.98]: 550 Service unavailable; [218.12.92.98] blocked using 
>bl.spamcop.net, reason: Blocked - see http://www.spamcop.net/bl.shtml?218.12.92.98; 
>from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]>
>Nov  4 00:58:21 guinness postfix/smtpd[11117]: lost connection after DATA from 
>unknown[218.12.92.98]
>Nov  4 00:58:21 guinness postfix/smtpd[11117]: disconnect from unknown[218.12.92.98]
>Nov  4 00:58:24 guinness postfix/smtpd[11117]: connect from unknown[210.72.193.130]
>Nov  4 00:58:29 guinness postfix/smtpd[11117]: 550E1171D2B: 
>client=unknown[210.72.193.130]
>Nov  4 00:58:32 guinness postfix/smtpd[11117]: reject: RCPT from 
>unknown[210.72.193.130]: 550 Service unavailable; [210.72.193.130] blocked using 
>china.blackholes.us, reason: China blocked by china.blackholes.us; from=<[EMAIL 
>PROTECTED]> to=<[EMAIL PROTECTED]>
>Nov  4 00:58:33 guinness postfix/smtpd[11117]: lost connection after DATA from 
>unknown[210.72.193.130]
>Nov  4 00:58:33 guinness postfix/smtpd[11117]: disconnect from unknown[210.72.193.130]
>Nov  4 00:58:34 guinness postfix/smtpd[11117]: connect from 
>h24-71-131-211.ok.shawcable.net[24.71.131.211]
>Nov  4 00:58:35 guinness postfix/smtpd[11117]: B9C4D171D2B: 
>client=h24-71-131-211.ok.shawcable.net[24.71.131.211]
>Nov  4 00:58:36 guinness postfix/smtpd[11117]: reject: RCPT from 
>h24-71-131-211.ok.shawcable.net[24.71.131.211]: 550 Service unavailable; 
>[24.71.131.211] blocked using list.dsbl.org, reason: 
>http://dsbl.org/listing?ip=24.71.131.211; from=<[EMAIL PROTECTED]> to=<[EMAIL 
>PROTECTED]>
>Nov  4 00:58:36 guinness postfix/smtpd[11117]: lost connection after DATA from 
>h24-71-131-211.ok.shawcable.net[24.71.131.211]
>Nov  4 00:58:36 guinness postfix/smtpd[11117]: disconnect from 
>h24-71-131-211.ok.shawcable.net[24.71.131.211]
>Nov  4 00:58:38 guinness postfix/smtpd[11117]: connect from 
>host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]
>Nov  4 00:58:40 guinness postfix/smtpd[11117]: 561B7171D2B: 
>client=host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]
>Nov  4 00:58:45 guinness postfix/cleanup[11118]: 561B7171D2B: message-id=<[EMAIL 
>PROTECTED]>
>Nov  4 00:58:45 guinness postfix/qmgr[11004]: 561B7171D2B: from=<[EMAIL PROTECTED]>, 
>size=629, nrcpt=1 (queue active)
>Nov  4 00:58:45 guinness postfix/local[11119]: 561B7171D2B: to=<[EMAIL PROTECTED]>, 
>relay=local, delay=5, status=sent ("|procmail -a "$EXTENSION"")
>Nov  4 00:58:48 guinness postfix/smtpd[11117]: disconnect from 
>host81-128-8-115.in-addr.btopenworld.com[81.128.8.115]
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: SF.net Giveback Program.
>Does SourceForge.net help you be more productive?  Does it
>help you create better code?   SHARE THE LOVE, and help us help
>YOU!  Click Here: http://sourceforge.net/donate/
>_______________________________________________
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQE/qp9eQTcbUG5Y7woRAjgjAJ0QAPKBe+UkhOCfuk3Vp75TrgOGQwCeNP1f
3rdwlGeOJU8jv0txGOn5rhA=
=/odH
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] OT: Distributed Spamming Engine?

Reply via email to