Honeypots mailing list archives

Re: Scans are way up, attacks are down??

From: Chris Paul <chris.paul () rexconsulting net>
Date: Thu, 28 Aug 2003 11:50:19 -0700

Need more info from you:

Which RBL?
Who's putting the X-RBL-Warning? (Sendmail or Exim)?

You see, I don't use these RBLs directly. I use a hybrid of SA (which calls RBL's and other sources for scoring) in 
combination with grey-listing.

Very effective.

Anyhow, to answer your one question re home-spammers, yes there is specifically one RBL (the DUN) and that is precisely 
"Dial-Up Networking" users, or as I called them, "home spammers", reasoning these are jerks who bought some software 
that they use from home to spam from their dial-up ISP accounts. 

Of course, back to my original point, to correct myself a little, it really isn't known if home users got hit more or 
less than corporate/large organization. Because non-home networks as we all know got hit bad by this recent rash of 
various worms well indeed.

CP

On Thu, 28 Aug 2003 10:58:12 +0100
"lsi" <stuart () cyberdelix net> wrote:

Hi Chris,

A msg is counted as spam if it contains a line which starts with

X-RBL-Warning: 

...which is of course the headerline inserted by the RBL anti-spam 
network.

Home-based spammers aren't likely to be on the RBL, are they?

Stuart

On 27 Aug 2003 at 9:52, Chris Paul wrote:

Date sent:            Wed, 27 Aug 2003 09:52:44 -0700
From:                 Chris Paul <chris.paul () rexconsulting net>
To:                   stuart () cyberdelix net
Copies to:            honeypots () securityfocus com
Subject:              Re: Scans are way up, attacks are down??

On Wed, 27 Aug 2003 09:45:42 +0100
"lsi" <stuart () cyberdelix net> wrote:

John, 

What I noticed is that as the SoBig virus went up, the number of spams I received went down. 

See chart here: http://cyberdelix.net/media/spamtrak.gif

The lowest dip is August 15, 3 days before Sobig. 

Does this mean BOFH's stop spamming because they are configuring their viruses???



Perhaps some of the home-spammers got hit with the virus. Easily could explain part of it. Depends on what you mean 
by spam.

CP



-- 
Chris Paul
Rex Consulting - Messaging and Security Solutions
+1 831.338.7712
Key fingerprint = 588A 289C ADE2 08F9 050B  D2A0 DDA4 331D C61B DFD1



-- 
Stuart Udall
stuart () cyberdelix net - http://www.cyberdelix.net/
..revolution through evolution

want to make some cash? check out http://cyberdelix.net/affiliates.htm



-- 
CP
--
Chris Paul
Rex Consulting - Messaging and Security Solutions
+1 831.338.7712
Key fingerprint = 588A 289C ADE2 08F9 050B  D2A0 DDA4 331D C61B DFD1

Current thread:

Scans are way up, attacks are down?? John C. Silvia (Aug 26)
- Re: Scans are way up, attacks are down?? lsi (Aug 27)
  - Re: Scans are way up, attacks are down?? Chris Paul (Aug 27)
    - Re: Scans are way up, attacks are down?? lsi (Aug 28)
    - Re: Scans are way up, attacks are down?? Chris Paul (Aug 28)