Re: Distributed spam-based DoS in progress

[Transistor Sister <raven () cybercom net>]

On Tue, 18 Feb 2003, Kee Hinckley wrote:

> One theory I've heard on this is that the script kiddies are using 
> spam for DoS attacks under the (probably correct) assumption that if 
> you report it to the relevant authorities they will dismiss it as 
> "just being spam."  This was from someone who had in fact tried to 
> report such a DoS attack and received just that response.

I phoned CERT and they said pretty much the same thing, but for all
intents and purposes spam pretty much stops becoming spam when it becomes
a denial of service. It seems that there are very few people out there who
have seen this but I'm sure it's not far off from becoming more prevalent.

After we got the situation under control we took a look at the data and
found that we are the victim of a dictionary attack. Basically this guy is
hitting us using a huge list of users. Some are random, but others look
like they may have been culled from another victim site. After getting
lots of great advice from members on this list, we have implemented RBL.
Thousands of messages are now being refused and the mail relays are
staying up. Thanks to all for your assistance.

Regards,

.Sarah



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com