Mailing List CGatePro@mail.stalker.com Message #97197
From: Wiley Sanders <wms2@stmarys-ca.edu>
Subject: Re: Re: Spam sent by rooms full of clones using a web browser?
Date: Wed, 04 Feb 2009 10:16:42 -0800
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Thanks for the replies. What's hilarious is that the spammers put the outgoing spam in the signature, and change the From: address in the web interface, so our poor phished users continue to send out their OWN, legit email under the name of some deposed Nigerian minister, and to add insult to injury the spam is attached.

We have rate limiting in place, our old version of CG won't let us rate limit on a per-account basis, only globally. (I've been working on getting downtime to upgrade.) I've been rate limiting to three messages every three min; it's catching a few legitimate users, and *not* catching the HTTP spammers, who wait between sends, either bot or human, so I might as well up it to five every three. However, it does save us form the massive attacks via AUTH RELAY that can send out 75,000+ messages per hour from a single account if not throttled.

The HTTP attacks also seem to come one at a time from a single IP address, and I have a crude IDS that consists of a script that blackholes the originating IP address when it detects a source.

-w

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster