More SPAM?

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Fri Nov 7 15:06:57 GMT 2003 

Hi,

We've had those compromised Windows also and it really put a high load
(and big backlog) on our MS servers.

I wrote a Perl script that watches my maillog every 5 minutes (root's
crontab) and if there are more than 80% of incoming mail from one IP
address it blocks it in ipchains/iptables, stops MS and sendmail,
removes all undelivered mail containing that IP address from the spool
directories, restarts MS (and sendmail) and sends an email to our
security group about it.

It works fine on our RH 7.3 and 9 systems.

If anyone is interested, I can post it.

Denis
Le ven 07/11/2003 à 09:43, Jeff A. Earickson a écrit :
> Hi,
> I too have noticed a that a lot more spam is getting thru in the
> past month or two (my setup: RBL+, spamcop, spamhaus, local lists
> for sendmail RBL; SA 2.60 and razor within MS 4.24-5; more procmail
> rules downstream via junkfilter).
> 
> One trend that I find alarming is spam trojans that get installed on
> Windoze desktop clients when people click on these "free" downloads
> from porn sites.  We have had a half-dozen machines on campus this
> semester that have had trojans that spew spam to the world.  The remote
> spammers connect to their trojans via irc or http, and then dump the
> stuff either directly back out or via our mail server.  They can move a
> lot of email this way real quick, from lots of machines, and it is hard
> to stop.  When we get a report from spamcop or other victims, we have to kill
> the port connection and block the MAC address in DHCP when we can
> find the machine.  Laptops drive us nuts with this problem.
> 
> Our Windoze guru carefully examined one student machine that we
> kept having problems with (XP, fully patched, NO password set, doh!).
> Two randomly named dlls kept appearing in the process list after bootup.
> These guys could not be shut down, unloaded, permissions changed, nothing;
> not even when booted in safe mode.  We couldn't even ftp them off
> the box to examine them elsewhere (always "text busy").  If their
> registry keys were removed, they came right back.
> 
> If we put this box on a network with a sniffer running, we would see
> a short (encrypted) http connection coming from someplace in Eastern
> Europe a few minutes later, followed shortly thereafter by connections
> from all over the planet, and then the thing would start spewing spam
> bigtime.
> 
> This hack was a real professional piece of work.  We wanted to poke
> more, but the student wanted his machine back.  He had to reformat the
> hard drive and reinstall the OS before we let him back on the network.
> 
> I think this is the direction spam is going -- lots of hijacked
> PC's, very distributed spam output.  True criminal activity by pros. Ugh.
> 
> --- Jeff Earickson
>     Colby College
> 
> On Fri, 7 Nov 2003, Devon Harding - GTHLA wrote:
> 
> > Date: Fri, 7 Nov 2003 09:09:59 -0500
> > From: Devon Harding - GTHLA <DHarding at GILATLA.COM>
> > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: More SPAM?
> >
> > I thought I was the only one.  The SPAM has increased drastically in
> > these last two months.
> >
> > Currently running MS 4.23-5 and SA 2.60
> >
> > What can be done to reduce incoming spam?
> >
> > -Devon
> >
> > -----Original Message-----
> > From: Errol Neal [mailto:sysadmins at ENHTECH.COM]
> > Sent: Thursday, November 06, 2003 10:13 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: More SPAM?
> >
> > Is it just me, or has anyone else been having more spam make it through
> > the
> > MailScanners recently?
> >
> >
> > Errol Neal
> >
-- 
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045

More information about the MailScanner mailing list