We've had these, especially from some of the sources
listed below, for quite some time. But we've also
seen that same spike lately and a couple of worthless
attempts to hack into our servers and gain more ID's.
When that doesn't work, it's dictionary time and
they spew tons at us. If that fails, their next tactic
is to do dictionary hits to other destinations, but use
our domains and IP's to forge us as the source.
We've firewalled and sendmail rejected most of
the domains listed and all the APNIC, RIPE and other IP
ranges from overseas. If we get complaints, then we
investigate the source to determine it's genuine and
open that smaller range back up. Sad, but it's reduced
the workload by 75%.
Is there a way, possibly with SpamAssassin, to
simply reject anything not going to a valid user account?
I know you can /dev/null everything but then you miss
what's being spewed at you and the problem is never really
solved. They get their payloads to valid accounts and
the spam just continues.
What I'm asking for is some routing in SA or some
other program that could use some format to kill dictionary-
style attacks but let the normal name-based stuff pass to
be dealt with. Bob (even if there isn't one) would pass,
but [EMAIL PROTECTED] would instantly be
tossed.
Any options like that?
David J. Duffner
VP Operations
NWC Corporation
NWCWEB.com
============================================
NWCWEB.com - Your Design & Hosting Solution!
Featuring Ensim Pro/Linux Servers, Hosted
Accounts, Web Design and e-Commerce services
NWC Corporation - Global e-Pay Solutions
============================================
> -----Original Message-----
> From: Eric W. Bates [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 26, 2004 11:39 AM
> To: Pierre Thomson
> Cc: users@spamassassin.apache.org
> Subject: Re: slightly OT: sudden rise in Rumplestiltskin attacks?
>
>
> We got slammed with a whole series of dictionary attacks in June (as
> many as 500k per day against a variety of domains). And, yes, it
> brought SA to it's knees. Prior to the flood, we had always
> configured
> our customer's domains such that [EMAIL PROTECTED] was
> delivered to the customer's default address. This worked
> very well for
> the past 9 years; but we had to stop.
>
> Pierre Thomson wrote:
> > One of our relays got 8500 name-guessing spams yesterday,
> up from an
> > average of 2500 per day last week. So far today we have seen 6600,
> > and the day isn't half over. If our MTA weren't checking
> recipients
> > against our userlist, SA would be struggling to process
> these sudden
> > "blasts" of spam.
> >
> > The sending relays seem to be predominantly in Europe, and
> often make
> > about a dozen tries in rapid succession. Here are the relays that
> > sent name-guessing spams in a 2-minute period in the last hour:
> >
> > dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
> > dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
> > dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
> > [EMAIL PROTECTED] [62.64.219.183]
> > omr-m01.mx.aol.com [64.12.138.1] m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > [EMAIL PROTECTED]
> > mailout08.sul.t-online.com [194.25.134.20]
> > omr-m03.mx.aol.com [64.12.138.3]
> > rega.bezeqint.net [192.115.104.10]
> > seaattsmtp.avanade.com [12.129.10.40]
> > mailout04.sul.t-online.com [194.25.134.18]
> > mail.f-tech.net [65.161.2.16]
> > [219.128.36.245]
> > [219.128.36.245]
> > [210.206.241.100]
> > [EMAIL PROTECTED] [82.103.206.234]
> > [EMAIL PROTECTED] [82.103.206.234]
> > [EMAIL PROTECTED] [82.103.206.234]
> > [EMAIL PROTECTED] [82.103.206.234]
> > [EMAIL PROTECTED] [82.103.206.234]
> > [EMAIL PROTECTED] [82.103.206.234]
> > [EMAIL PROTECTED] [82.103.206.234]
> > [EMAIL PROTECTED] [82.103.206.234]
> > [EMAIL PROTECTED] [82.103.206.234]
> > [EMAIL PROTECTED] [82.103.206.234]
> > [EMAIL PROTECTED] [82.103.206.234]
> > rh9150195.aspadmin.net [216.98.150.195]
> > mailout09.sul.t-online.com [194.25.134.84]
> > [219.128.36.245]
> > [219.128.36.245]
> > [219.128.36.245]
> > [219.128.36.245]
> > omr-m13.mx.aol.com [64.12.136.11]
> > [EMAIL PROTECTED] [80.140.55.203]
> > [EMAIL PROTECTED] [80.140.55.203]
> > [EMAIL PROTECTED] [80.140.55.203]
> > [EMAIL PROTECTED] [80.140.55.203]
> > [EMAIL PROTECTED] [80.140.55.203]
> > [EMAIL PROTECTED] [80.140.55.203]
> > [EMAIL PROTECTED] [80.140.55.203]
> > [EMAIL PROTECTED] [80.140.55.203]
> > [EMAIL PROTECTED] [80.140.55.203]
> > [EMAIL PROTECTED] [80.140.55.203]
> > [EMAIL PROTECTED] [80.140.55.203]
> >
> > Are others seeing this? Any plausible explanation?
> >
> > Pierre Thomson
> > BIC
>
> --
> Message scanned by MailScanner, and is believed to be clean.
> CONFIDENTIALITY NOTICE: This transmission intended for the
> specified destination and person. If this is not you, this
> e-mail must be deleted immediately. www.nwcweb.com
>
--
Message scanned by MailScanner, and is believed to be clean.
CONFIDENTIALITY NOTICE: This transmission intended for the
specified destination and person. If this is not you, this
e-mail must be deleted immediately. www.nwcweb.com
