Re: Strnge spammer 'attack'

[Guy Pace <gpace () SBCTC EDU>]

We are seeing it, too. My account is whitelisted, so I get it all. Earlier last night, most were sourced out of South 
America. Haven't gone through the hundreds this AM. Hoping that the spam catcher is working. 

Guy L. Pace, CISSP 
Security Administrator
Information Technology Division
WA State Board for Community and Technical Colleges (SBCTC) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 
gpace () sbctc edu 


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pete 
Hickey
Sent: Wednesday, April 20, 2011 6:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Strnge spammer 'attack'

It's coming from a botnet... tens of thousands of differrent IP addresses.

It's slow enough so that it does not noticibly disrupt our mail flow.

The To: is about 90% accurated.... seems like a regular spammers list it's working from.

The From: is the interesting part.  All from yahoo.com and yahoo.com.uk.
The userid part is random... very random.... except for the part about mixed case and special characters, they would 
make hard to guess passwords.
Each one is used once or twice.  There are hundreds of thousands of them.

I'm guessing that they're trying to break our graylisting database.
Filling it with so much garbage that it overflows.  It's the only thing that makes sense to me.

Other ideas?


-- 
Pete Hickey                         
The University of Ottawa            "Everyone knows someone 
Ottawa, Ontario                      who knows someone else"
Canada