Re: [anti-spam-wg@localhost] New kind of spam attack? How to defend?
- Date: Wed, 6 Nov 2002 14:53:51 +0100 (MET)
We seen a similar kind of attack for quite some time and I've spent
much too much time fighting it - blocking hosts/networks that "sneak
in" mail via the more expensive backup MX host although the "cheapest"
is known to be up, etc, etc. I also ended up in relay-blocking large
quantities of the IP space in advance, e.g.
and numerous /16 and /24. Effectively this takes away all the good in
having a backup MX host, so by now we've given up and have a single
MX host without backup for each (sub)domain, with a few exceptions.
Sad, but impossible to keep on.
My "relay-blocking" sendmail responds "4xx Tempfail" which should
be OK from a protocol standpoint, but which renders the entire
idea of a backup MX host fairly useless.
>From anti-spam-wg-admin@localhost Thu Oct 31 09:50:32 2002
>Date: Wed, 30 Oct 2002 11:37:54 +0100 (MET)
>From: Paul Wouters paul@localhost
>Subject: [anti-spam-wg@localhost] New kind of spam attack? How to defend?
>I have been seeing a new kind of spam attack for which I have no solution.
>We're seeing a large distributed network sending us batches of spam for a
>domain we are fallback MX for. The IP list seems very disdributed, with a
>focus on apnic IP's. No IP sends more then about 20 batches. We're talking
>about a few thousand emails per day (while trying to fight it)
>The worst problem is that these batches are basicly bruteforced address lists.
>So we see aaabcde@localhost, aaabcdf@localhost etc. Since ofcourse the sender
>is false or disabled, this generates thousands of double bounces between
>us and the best MX host which is refusing the messages with 'user unknown'.
>I know I can get rid of the double bounces by accepting the messages and
>silently dropping them, but that still means thousands of nonsense messages
>travel from the outside to the fallback MX to the best MX.
>Has anyone else seen this kind of spam attack? So far, this is only
>happening to one co.uk domain we're fallback for, but I fear the day this
>will be the next standard delivery method for spam; I'd probably be
>forced to block port 25 for all of 200/8 and a few others :(
>I've temporarily disabled relaying for the co.uk domain to at least stop
>the attacks for now, but obviously this is not a real longterm solution.
>(sorted list of IP's in use available upon request)
>Broerdijk 27 Postbus 170 Tel: 31-24-360 39 19
>6523 GM Nijmegen 6500 AD Nijmegen Fax: 31-24-360 19 99
>The Netherlands The Netherlands info@localhost