Mailing List SIMS@mail.stalker.com Message #15523
From: billc <billc_lists@greenbuilder.com>
Subject: Re: dictionary
Date: Tue, 14 Aug 2007 17:03:52 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 10:06 AM -0400 8/14/07, Bill Cole wrote:
At 11:38 PM -0500 8/13/07, billc  imposed structure on a stream of electrons, yielding:
At 9:17 PM -0500 8/13/07, Lewis Butler wrote:
On Aug 13, 2007, at 9:03 AM, Charles Mangin wrote:
since i took over hosting, all of these dictionary-style spams have been going nowhere, being rejected out of hand with "<<< 550 Unrouteable address". i know i can't do anything more than ignore them and hope they will move on to some other target but... sheesh. six months? with nothing to show for it? you'd think there'd be some sort of list purging in all that time.

Well, you can do something about it, you can blacklist IP addresses that send too many bad messages where too many is a number you chose.

I wish that were true.  Recently the dictionary attacks are coming from completely unrelated IPs - you can sit there and watch the logs roll by and know that it's a dictionary attack, but none of the IPs match any other.  It's obviously a botnet or an IP spoofing scheme.

OUCH! You've pushed one of my buttons there....

In short: you can forget about IP spoofing as an explanation for anything based on TCP and involving a shotgun approach. Botnets of tens of thousands of cracked Windows machines are available for rent and provide a far more useful tool than spoofing for most such purposes.

Ok, sorry to push the button.  I figured it was most likely a botnet, but that a spoof was possible.  Now I know more.  thanks as always for the tutorial.


Blacklists likely won't help much there.

Actually, they can. The Spamhaus Zen list (particularly the CBL and PBL components) does a pretty good job keeping up with compromised machines and the Spamcop BL has become a far better tool for such machines than it used to be, Ironport having apparently decided to turn it into a serious operational tool rather than a way for anti-spam activists to annoy big dumb ISP's. (as a professional mail admin who is also an anti-spam activist, I have some mixed feelings about that...)

Good to know that the zen rbl is tracking compromised boxes.


I've also found that for small sites (anyone running SIMS today has to qualify) it is likely to be very helpful to handle your own local blacklist in a way that would be unsuitable for most public lists. For example, most small sites in the US could forbid all of 80-92.*, 210-211.*, and 122-125.* and never lose any legitimate mail.

Unless, as in our case, you happen to host a small but well connected research/consulting group with regular correspondence with places like China, Brazil, Eastern Europe, and other typical spam-source IP blocks.
--
Bill Christensen
<http://greenbuilder.com/contact/>

Green Building Professionals Directory: <http://directory.greenbuilder.com>
Sustainable Building Calendar: <http://www.greenbuilder.com/calendar/>
Green Real Estate: <http://www.greenbuilder.com/realestate/>
Straw Bale Registry: <http://sbregistry.greenbuilder.com/>
Books/videos/software: <http://bookstore.greenbuilder.com/>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster