Is there a new spambot army on the march?

[Jason Haar <Ja...@trimble.co.nz>]

We are getting HAMMERED with a dictionary attack that is on a scale we
have never experienced before.

We have recipient verification on our edge servers, so basically it's
all just bouncing off us, but it has been impacting us as we've already
had to up the maximum number of simultaneous SMTP connections 4-fold to
handle the increased load.

I'm starting to track the IPs, and so far after 30 minutes have found
over 5000 separate IPs - so this Spambot army is pretty big.

Is it only us, or are others seeing it too?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: Is there a new spambot army on the march?

[Gino Cerullo <gc...@pixelpointstudios.com>]

Yeah, I've been getting hammered by these too. I've configured  
Postfix to do HELO checks and the vast majority (95%) are failing at  
the MTA.


--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON  M3M 1W6

T: 416-247-7740
F: 416-247-7503

Re: Is there a new spambot army on the march?

[Jason Haar <Ja...@trimble.co.nz>]

jdow wrote:
>
>> We're getting around 60/sec for over 24 hours now :-(
>>
>> It ain't getting in, but the logs are filling my disk ;-)
>
> 5 MILLION a day! Who hates Trimble Navigation THAT much? (IMAO they're
> fairly good guys. I used to do GPS related work - satellite and ground.)
I guess that's my point. I was wondering if this was within the "normal"
range of dictionary attacks. I've been tracking (in realtime) the IPs
sending to non-existent addresses for the past 2 hours, and we are now
over 10K separate IP addresses. Sounds like those MS06-040 trojans
release last week found their mark :-(

Running the addresses through GeoIP shows they are all over the world. I
guess we just weather the storm :-/

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: Is there a new spambot army on the march?

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

On 8/20/2006 8:37 PM, jdow wrote:
> From: "Jason Haar" <Ja...@trimble.co.nz>

>> We're getting around 60/sec for over 24 hours now :-(
>>
>> It ain't getting in, but the logs are filling my disk ;-)
> 
> 
> 5 MILLION a day! Who hates Trimble Navigation THAT much? (IMAO they're
> fairly good guys. I used to do GPS related work - satellite and ground.)

If it was Garmin, I'd say it's just a user trying to get tech support.

Have fun Jason! :)


Daryl

Re: Is there a new spambot army on the march?

[jdow <jd...@earthlink.net>]

From: "Jason Haar" <Ja...@trimble.co.nz>

> Theo Van Dinter wrote:
>> On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote:
>>   
>>> We are getting HAMMERED with a dictionary attack that is on a scale we
>>> have never experienced before.
>>>     
>>
>> Yeah.  I had >260k "user unknown" entries per day last week (that's
>> over 3 per second for a whole day straight).  The weekends are always lighter,
>> with only 110k so far today -- around 8800 different IPs so far.
>>
>>   
> We're getting around 60/sec for over 24 hours now :-(
> 
> It ain't getting in, but the logs are filling my disk ;-)

5 MILLION a day! Who hates Trimble Navigation THAT much? (IMAO they're
fairly good guys. I used to do GPS related work - satellite and ground.)

{^_-}   Joanne

Re: Is there a new spambot army on the march?

[Jason Haar <Ja...@trimble.co.nz>]

Theo Van Dinter wrote:
> On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote:
>   
>> We are getting HAMMERED with a dictionary attack that is on a scale we
>> have never experienced before.
>>     
>
> Yeah.  I had >260k "user unknown" entries per day last week (that's
> over 3 per second for a whole day straight).  The weekends are always lighter,
> with only 110k so far today -- around 8800 different IPs so far.
>
>   
We're getting around 60/sec for over 24 hours now :-(

It ain't getting in, but the logs are filling my disk ;-)


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: Is there a new spambot army on the march?

[Theo Van Dinter <fe...@apache.org>]

On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote:
> We are getting HAMMERED with a dictionary attack that is on a scale we
> have never experienced before.

Yeah.  I had >260k "user unknown" entries per day last week (that's
over 3 per second for a whole day straight).  The weekends are always lighter,
with only 110k so far today -- around 8800 different IPs so far.

-- 
Randomly Generated Tagline:
"But you have to allow a little for the desire to evangelize when you
 think you have good news."         - Larry Wall

Re: Is there a new spambot army on the march?

[The Doctor <do...@doctor.nl2k.ab.ca>]

On Mon, Aug 21, 2006 at 11:49:54AM +1200, Jason Haar wrote:
> The Doctor wrote:
> >
> > I may have a server side solution using spamikaze but first
> > what is the SMTP server software taht you are using?
> >  
> We're using Qmail with assorted patches - like the recipient checking
> one. I think the only solution that would improve our situation would be
> getting these (6.5K now) IPs into the RBLs - or into our tcpserver ACL
> list.
> 
> (I'm not really looking for a solution - more just wondering if anyone
> else was seeing the same thing.)
>

Who knows?? I know I am using spamikaze to turf the beggars.
 
> -- 
> Cheers
> 
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 

-- 
Member - Liberal International	
This is doctor@nl2k.ab.ca	Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
New Brunswick kick out the Harper Puppet and VOTE LIBERAL on 18 Sept 2006

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Is there a new spambot army on the march?

[Jason Haar <Ja...@trimble.co.nz>]

The Doctor wrote:
>
> I may have a server side solution using spamikaze but first
> what is the SMTP server software taht you are using?
>  
We're using Qmail with assorted patches - like the recipient checking
one. I think the only solution that would improve our situation would be
getting these (6.5K now) IPs into the RBLs - or into our tcpserver ACL
list.

(I'm not really looking for a solution - more just wondering if anyone
else was seeing the same thing.)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: Is there a new spambot army on the march?

[The Doctor <do...@doctor.nl2k.ab.ca>]

On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote:
> We are getting HAMMERED with a dictionary attack that is on a scale we
> have never experienced before.
> 
> We have recipient verification on our edge servers, so basically it's
> all just bouncing off us, but it has been impacting us as we've already
> had to up the maximum number of simultaneous SMTP connections 4-fold to
> handle the increased load.
> 
> I'm starting to track the IPs, and so far after 30 minutes have found
> over 5000 separate IPs - so this Spambot army is pretty big.
> 
> Is it only us, or are others seeing it too?
>

I may have a server side solution using spamikaze but first
what is the SMTP server software taht you are using?
 
> -- 
> Cheers
> 
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> 

-- 
Member - Liberal International	
This is doctor@nl2k.ab.ca	Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
New Brunswick kick out the Harper Puppet and VOTE LIBERAL on 18 Sept 2006

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.