[NBLUG/talk] Is someone trying to DDOS my email server?

Christopher Wagner chrisw at pacaids.com
Thu Sep 22 15:52:07 PDT 2005 

I use this list of DNSBLs and have found it to be extremely helpful,
adding the China and Korea blacklists as well would provide quite an
effective limiter to spam:

blackhole.securitysage.com,
dsn.rfc-ignorant.org,
rhsbl.ahbl.org,
blackholes.mail-abuse.org,
sbl.spamhaus.org,
opm.blitzed.org,
bl.spamcop.net,
zombie.dnsbl.sorbs.net,
opm.blitzed.org,
blackholes.mail-abuse.org,
sbl.spamhaus.org,
relay.ordb.org,
ma.countries.nerd.dk,
es.countries.nerd.dk,
ne.countries.nerd.dk,
dnsbl.njabl.org,
ae.countries.nerd.dk,
an.countries.nerd.dk,
al.countries.nerd.dk,
ap.countries.nerd.dk,
gt.countries.nerd.dk,
gu.countries.nerd.dk,
il.countries.nerd.dk,
ir.countries.nerd.dk,
tv.countries.nerd.dk,

- Chris

E Frank Ball wrote:

>On Thu, Sep 22, 2005 at 11:13:42AM -0700, Linford Mark wrote:
>
>} I've been noticing some strange behavior on one of our mail servers, and
>} it's starting to make me feel paranoid.  For at least the past month or
>} so, we've been getting email messages to an inactive account, followed
>} by four random letters (user_accountxxxx@, user_accountyyyy@, etc.)
>} What's strange is that each individual message is coming from a
>} different server, and it's increasing.  Last night, I received about 200
>} different attempts, all from different servers, and relatively evenly
>} spread out.  Should I be worried?  Might someone be practicing a DDOS on
>} me?
>
>I would not be worried.  It's more likely some spammer's crazy software
>and a bunch of his "owned" zombie machines in a misguided attempt to
>spam rather than a deliberate DDOS.
>
>First the level of traffic generated by DDOS attacks today is stunning.
>I hear stories of 10GB network links getting hammered, 200 emails is
>nothing.
>
>I have not seen your particular example of user_accountxxxx@ and
>user_accountyyyy@, but I have seen a number of bizare addressing
>techniques in spam:  
>
>There are some odd addresses that keep getting a lot of spam.  I never
>used them and I have no idea how they got started.  Here are a couple of
>examples:  kgergely at efball.com, 3dfrankb at efball.com
>
>Mail sent to numeric addresses:  4169@
>Some weeks I get hundreds to various random numbers 3 to 5 digits long.
>I also get a lot of mail to a1234@ addresses.
>
>I also see some like 20011019103621.a18549@ which are from the headers
>in usenet postings that got harvested mistakenly as email addresses.
>
>---------------------
>
>Recently I've been getting tons of spam for hot stock tips.  Often they
>spell it St0ck in the subject line.  What kind of moron would take stock
>tips from a rabid, obviously crooked, spammer?
>
>---------------------
>
>The blackholes.us RBL lists have been flakey at best recently.  I really
>liked the cn-kr.blackholes.us list (blocks email from IPs in China and
>Korea).  I discovered a couple of replacements that seem to work well:
>
>cn.rbl.cluecentral.net
>kr.rbl.cluecentral.net
>korea.services.net
>(only one of the korea lists is needed, but I don't know which is better).        
>
>  
>

More information about the talk mailing list