[NBLUG/talk] Is someone trying to DDOS my email server?

E Frank Ball frankb at frankb.us
Thu Sep 22 14:25:16 PDT 2005 

On Thu, Sep 22, 2005 at 11:13:42AM -0700, Linford Mark wrote:

} I've been noticing some strange behavior on one of our mail servers, and
} it's starting to make me feel paranoid.  For at least the past month or
} so, we've been getting email messages to an inactive account, followed
} by four random letters (user_accountxxxx@, user_accountyyyy@, etc.)
} What's strange is that each individual message is coming from a
} different server, and it's increasing.  Last night, I received about 200
} different attempts, all from different servers, and relatively evenly
} spread out.  Should I be worried?  Might someone be practicing a DDOS on
} me?

I would not be worried.  It's more likely some spammer's crazy software
and a bunch of his "owned" zombie machines in a misguided attempt to
spam rather than a deliberate DDOS.

First the level of traffic generated by DDOS attacks today is stunning.
I hear stories of 10GB network links getting hammered, 200 emails is
nothing.

I have not seen your particular example of user_accountxxxx@ and
user_accountyyyy@, but I have seen a number of bizare addressing
techniques in spam:  

There are some odd addresses that keep getting a lot of spam.  I never
used them and I have no idea how they got started.  Here are a couple of
examples:  kgergely at efball.com, 3dfrankb at efball.com

Mail sent to numeric addresses:  4169@
Some weeks I get hundreds to various random numbers 3 to 5 digits long.
I also get a lot of mail to a1234@ addresses.

I also see some like 20011019103621.a18549@ which are from the headers
in usenet postings that got harvested mistakenly as email addresses.

---------------------

Recently I've been getting tons of spam for hot stock tips.  Often they
spell it St0ck in the subject line.  What kind of moron would take stock
tips from a rabid, obviously crooked, spammer?

---------------------

The blackholes.us RBL lists have been flakey at best recently.  I really
liked the cn-kr.blackholes.us list (blocks email from IPs in China and
Korea).  I discovered a couple of replacements that seem to work well:

cn.rbl.cluecentral.net
kr.rbl.cluecentral.net
korea.services.net
(only one of the korea lists is needed, but I don't know which is better).        

-- 

   E Frank Ball frankb at frankb.us

More information about the talk mailing list