nanog mailing list archives
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
From: "David Keith" <dkeith () mgmtransport com>
Date: Thu, 9 Oct 2003 12:49:17 -0400
On Thursday, October 9, 2003, at 12:24 PM, Suresh Ramasubramanian wrote:
Nope - the guy would get more trojaned boxes, no shortage of unpatched windows machines on broadband. There are two ways to go here - * Nullroute or bogus out in your resolvers the DNS servers for this domain --> two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com
This may apply w/r/t something I've been seeing for the last couple of days. I've been seeing e-mails into our server with the following characteristics: 1). Sent to invalid user on our domain 2). Sent from varying origins; usually, groups of three arriving ~ every half hour 3). Origin IP on mostly home broadband networks in US 4). Frequently, purported sender's e-mail address non-US domain although originating from US domain, with the language of the e-mail text matching the purported sender's domain (lots of German spam...guess that's the current flavor). 5). Invalid user send-to addresses arriving in groups in alphabetical order (nice list processing) It looks like person(s) responsible is using distributed network of trojaned pcs, varying send-to mail servers every 3 messages or so. This way, spam arrives at purported sender's address as undelivered mail bounce with our address in the SMTP envelope, in low enough volume (they hope) not to trigger filtering based on source IP. I wonder about how long until legitimate mail servers start getting blackholed because of bounce messages? David Keith
Current thread:
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes, (continued)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Suresh Ramasubramanian (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Suresh Ramasubramanian (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Hank Nussbacher (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Suresh Ramasubramanian (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Andy Ellifson (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Suresh Ramasubramanian (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Michael Airhart (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Niels Bakker (Oct 10)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Andy Ellifson (Oct 09)
- RE: Wired mag article on spammers playing traceroute games with trojaned boxes Geo. (Oct 09)
- RE: Wired mag article on spammers playing traceroute games with trojaned boxes David Keith (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Kee Hinckley (Oct 09)
- RE: Wired mag article on spammers playing traceroute games with trojaned boxes Vinny Abello (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Joe Boyce (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Vinny Abello (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes jlewis (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes John Capo (Oct 09)