OT: spam waves targetting old MXs?

[Kai Schaetzl <ma...@conactive.com>]

For about 48 hours I see an increase in attempts to unload spam to our 
clients. Many of the connects seem to be endless = they keep the sendmail 
process with almost no data open until I kill them after a while. This 
happens on several machines, sometimes looking a bit like a "wave" and 
many of the target email addresses are no longer on these machines but 
moved to another MX. It looks like there have been old MX records from 
half a year ago or so been activated. But the stuff comes from dialups all 
over the world, so it can't be some provider's nameserver handing out 
bogus info.
It's not in any way near a DoS attack, but I'm curious. Anyone seeing 
similar mysterious spam waves?


Kai

-- 

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: spam waves targetting old MXs?

[Fred <sp...@freddyt.com>]

Kai Schaetzl wrote:
> For about 48 hours I see an increase in attempts to unload spam to our
> clients.

For the past 12 months I have seen endless attempts to send mail to invalid
addresses.  I get 1,000 per hour, every hour for every day of the working
week.  Off hours is slightly lower, during peak (mon-thur) it's slightly
higher.  It never stops, our sendmail is telling these people to stop
sending mail to those addresses but it falls on deaf eyes.

> Many of the connects seem to be endless = they keep the
> sendmail process with almost no data open until I kill them after a
> while. This happens on several machines, sometimes looking a bit like
> a "wave" and many of the target email addresses are no longer on
> these machines but moved to another MX. It looks like there have been
> old MX records from half a year ago or so been activated. But the
> stuff comes from dialups all over the world, so it can't be some
> provider's nameserver handing out bogus info.
> It's not in any way near a DoS attack, but I'm curious. Anyone seeing
> similar mysterious spam waves?

Yes we see similar attacks.  We use an internal mail server which at one
time was listed as the mx for our domain and we still see direct spams to it
once in a while, it could be due to easy to guess name of mail.domain but
who knows, these guys could keep their own phonebook of ips to send spam at.

Re: OT: spam waves targetting old MXs?

[Niek <ni...@packetstorm.nu>]

On 10/22/2004 11:32 PM +0200, Kai Schaetzl wrote:
> For about 48 hours I see an increase in attempts to unload spam to our 
> clients. Many of the connects seem to be endless = they keep the sendmail 
> process with almost no data open until I kill them after a while. This 
> happens on several machines, sometimes looking a bit like a "wave" and 
> many of the target email addresses are no longer on these machines but 
> moved to another MX. It looks like there have been old MX records from 
> half a year ago or so been activated. But the stuff comes from dialups all 
> over the world, so it can't be some provider's nameserver handing out 
> bogus info.
> It's not in any way near a DoS attack, but I'm curious. Anyone seeing 
> similar mysterious spam waves?
> 
> 
> Kai

Some spamsoftware lets other hosts do the mx lookups, and feed the zombies
with the target email addresses and the ip where to send the spam to.
This way the zombies do not need to do mx lookups when they spam.
Thus, if you move a domain to a different mx, the old one will still
be hammered with spam for the moved domain.

Regards,
Niek
-- 
_______________________________________________________________________
Read about mime:                    http://www.geoapps.com/nomime.shtml
Read about quoting:     http://www.netmeister.org/news/learn2quote.html
Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers