North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Distributed Dictonary email slam
We are secondary mx for a specific domain that has been hammered since friday night. We've accumulated literally thousands of email messages in our queue while the primary mx at the customer site is out of service yet again. In looking at the queue it appears that it's one heck of a dictionary based slam. Interesting thing about this is that it is distributed.. entire dictionary destination addresses such as email@example.com come from one host (apparently with a trojan on it or otherwise) while firstname.lastname@example.org come from yet a different host.. and so on down the alphabet all the while constantly changing source hosts.. Now being as we are a secondary mx I'm dropping their record out of our email system as I write this, however, I am curious if other have gone through or are currently going through something of this magnitude (12K spam/dictionary msgs per hour destined to one domain and that's just what is getting past the blacklist checks). Normally I see my spam block daemon at around 10 - 15 concurrent requests.. right now it's tearing along at around 160 - 180 concurrent bad connections.
And of course a few suggestions to mitigate this would be appreciated.. I currently employ multiple blacklists such as spamcop.net, abuseat.org, spews level 1 and 2, and spamhaus, plus my own blocklists for china and korea to check on incoming email source addresses.