Heavy increase in spam influx this week?

Kai Schaetzl maillists at conactive.com
Fri Aug 31 09:18:13 IST 2007 

Matt Kettler wrote on Thu, 30 Aug 2007 16:48:46 -0400:

> My guess is this is the botnet resulting from the storm worm variants going into 
> action.

Ah, that's it. I figured as well it might be some new botnet, but I'm not well 
informed about what's currently du jour in that world. I didn't barely see any of 
that postcard spam, but now they come back at me from a different angle.

> I've been noticing a lot of activity too. For the first time ever my sendmail 
> actually hit my confMAX_DAEMON_CHILDREN limit.

Same here. I get SMS when my servers reach certain thresholds and the night before 
last night I got one almost every hour before I took measures to up the processes 
and reduce the backlog of hanging bots. It's the worst onslaught of spam I have 
seen yet, with the exception of backscatter on some single servers.

> A lot of them seem to be "hanging around" in the command read state, so I added 
> a confTO_COMMAND limit of 10 minutes (default is 1 hour). Yes, I know you have 
> to be careful shortening this, but 10 minutes between SMTP commands is still 
> pretty reasonable, and hopefully will help my server shed these dead connections.

I think that's still very reasonable. I'm running with 1m on some newer servers, 
(also for most other TO_ values) and haven't seen any problems with this for 
months. After all, if commands or data send take that long there's something wrong 
with the connection, anyway. After I changed those values on the most hit older 
servers the figures of steadily connected bots plunged. It makes a huge difference. 
My Postfix machines still suffer from the backlog of bots, as I haven't checked yet 
if Postfix provides similar time-out options. Anyone knows?

These bots send about 5 or ten mails to the same single address, but all with a 
different sender. And they keep coming back quickly even when they were rejected. 
It looks as if they want to brute-force the mail delivery by overwhelming the spam 
protection.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

More information about the MailScanner mailing list