More SPAM?

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Mon Nov 10 19:51:15 GMT 2003 

Hello everyone,

David While has put my script on his website.  It is complete with a
discussion board.

Great job David.

It is at:
http://www.while.homeunix.net/spamstorm

Denis

Le ven 07/11/2003 à 10:06, Denis Beauchemin a écrit :
> Hi,
> 
> We've had those compromised Windows also and it really put a high load
> (and big backlog) on our MS servers.
> 
> I wrote a Perl script that watches my maillog every 5 minutes (root's
> crontab) and if there are more than 80% of incoming mail from one IP
> address it blocks it in ipchains/iptables, stops MS and sendmail,
> removes all undelivered mail containing that IP address from the spool
> directories, restarts MS (and sendmail) and sends an email to our
> security group about it.
> 
> It works fine on our RH 7.3 and 9 systems.
> 
> If anyone is interested, I can post it.
> 
> Denis
> Le ven 07/11/2003 à 09:43, Jeff A. Earickson a écrit :
> > Hi,
> > I too have noticed a that a lot more spam is getting thru in the
> > past month or two (my setup: RBL+, spamcop, spamhaus, local lists
> > for sendmail RBL; SA 2.60 and razor within MS 4.24-5; more procmail
> > rules downstream via junkfilter).
> > 
> > One trend that I find alarming is spam trojans that get installed on
> > Windoze desktop clients when people click on these "free" downloads
> > from porn sites.  We have had a half-dozen machines on campus this
> > semester that have had trojans that spew spam to the world.  The remote
> > spammers connect to their trojans via irc or http, and then dump the
> > stuff either directly back out or via our mail server.  They can move a
> > lot of email this way real quick, from lots of machines, and it is hard
> > to stop.  When we get a report from spamcop or other victims, we have to kill
> > the port connection and block the MAC address in DHCP when we can
> > find the machine.  Laptops drive us nuts with this problem.
> > 
> > Our Windoze guru carefully examined one student machine that we
> > kept having problems with (XP, fully patched, NO password set, doh!).
> > Two randomly named dlls kept appearing in the process list after bootup.
> > These guys could not be shut down, unloaded, permissions changed, nothing;
> > not even when booted in safe mode.  We couldn't even ftp them off
> > the box to examine them elsewhere (always "text busy").  If their
> > registry keys were removed, they came right back.
> > 
> > If we put this box on a network with a sniffer running, we would see
> > a short (encrypted) http connection coming from someplace in Eastern
> > Europe a few minutes later, followed shortly thereafter by connections
> > from all over the planet, and then the thing would start spewing spam
> > bigtime.
> > 
> > This hack was a real professional piece of work.  We wanted to poke
> > more, but the student wanted his machine back.  He had to reformat the
> > hard drive and reinstall the OS before we let him back on the network.
> > 
> > I think this is the direction spam is going -- lots of hijacked
> > PC's, very distributed spam output.  True criminal activity by pros. Ugh.
> > 
> > --- Jeff Earickson
> >     Colby College
> > 
> > On Fri, 7 Nov 2003, Devon Harding - GTHLA wrote:
> > 
> > > Date: Fri, 7 Nov 2003 09:09:59 -0500
> > > From: Devon Harding - GTHLA <DHarding at GILATLA.COM>
> > > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: More SPAM?
> > >
> > > I thought I was the only one.  The SPAM has increased drastically in
> > > these last two months.
> > >
> > > Currently running MS 4.23-5 and SA 2.60
> > >
> > > What can be done to reduce incoming spam?
> > >
> > > -Devon
> > >
> > > -----Original Message-----
> > > From: Errol Neal [mailto:sysadmins at ENHTECH.COM]
> > > Sent: Thursday, November 06, 2003 10:13 AM
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: More SPAM?
> > >
> > > Is it just me, or has anyone else been having more spam make it through
> > > the
> > > MailScanners recently?
> > >
> > >
> > > Errol Neal
> > >
-- 
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045

More information about the MailScanner mailing list