nanog mailing list archives

Re: Weird distributed spam attack

From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Wed, 20 Nov 2002 09:40:50 -0800 (PST)


Hi,

#Here is the kicker. I check where these are coming from, they
#are from all over the place. I check for IP address spoofing...
#not happening. No IP options or TCP options.
#
#This came from like about 300 different networks, and yes
#I don't accept source routing (IP Options).

In addition to thousands of open relays, which are bad enough in
their own right, there are also thousands of open proxy servers
which a growing number of spammers have been using to launch spam 
runs lately. I suspect that's what you're seeing. 

You can see some of the open proxy servers that we've seen traffic from at
http://darkwing.uoregon.edu/~joe/open-proxies-used-to-send-spam.html

If you aren't blocking traffic from open proxy servers via a dns 
blacklist, I predict that you will definitely see increasingly 
aggressive spam attacks coming in from diverse locations (although 
the more you look at the problem, the easier it becomes to identify 
the handful of carriers who are open proxy-tolerant).

[I will also say that it would really be great if mail-abuse.org would
add an open proxy listing project to complement their RSS, DUL, and
other initiatives.]

Regards,

Joe

Current thread:

Weird distributed spam attack dru-nanog (Nov 19)
- Re: Weird distributed spam attack Mike Lewinski (Nov 20)
  - Re: Weird distributed spam attack chuck goolsbee (Nov 20)
    - RE: Weird distributed spam attack Jacob M Wilkens (Nov 20)
    - Re: Weird distributed spam attack Bryan Bradsby (Nov 20)
    - Re: Weird distributed spam attack sjj (Nov 22)
- <Possible follow-ups>
- Re: Weird distributed spam attack Joe St Sauver (Nov 20)
  - Re: Weird distributed spam attack Margie Arbon (Nov 20)
  - Re: Weird distributed spam attack Kai Schlichting (Nov 20)
  - Re: Weird distributed spam attack Chip Rosenthal (Nov 22)