Okay, I've spent some serious time in my logs and backtracking the
current spam attacks (which are still on-going, by the way. One
interesting note is that some/many of the people being attacked are
being attacked repeatedly, especially the people from engr.csulb.edu.)
So far, in the current attack which started within the last week or so,
I've identified about 25 different accounts being attacked. Some once,
some many times, some with only a couple of subscriptions on my site,
some with "many".
So far, ALL of the spam I've seen has originated from one of four places:
nlights.net
*dial-access.att.net
oscva.orbital.com
iglou.com
The dial-access.att.net is starred because the spam is coming from all
sorts of different dialup addresses located in various states, not one
dialup location.
>From what I can tell, it's one, maybe two people. They operate from
different accounts, not staying on any one any length of time, and
sometimes seem to be coming from two at once. I'm guessing they're
hacked into these places and coming from some OTHER place... ALL of the
spamming, and there's a lot of it, is originating from these four
places, at least on my servers, and if you have the ability to filter
on Received lines before it gets to your daemon, you should be able to
filtr them out of your command stream and make them disappear, at least
until they change locations again. There are certain patterns to their
postings that make it easy to find once you look for them, but I
haven't quite found a way to automate the search yet....
On top of that, while I was grubbing through logs, I found a couple of
isolated spams not related to these that came from
ouhub.moa.net
And I'm getting what MIGHT be some spam, or might be something I don't
quite understand, from:
sikkim.cloud9.net
They seem to have some kind of web interface that might be legit, might
be not, but whihc defintely was used to spam a couple of users, so I
backtracked it, cleared out the other users that were put in via that
interface, and stuffed a block on it. Going to their home page doens't
tell me a damn thing about what's going on on the site, so I'm curious
but right now, I'll be paranoid, too.
That's what I've found here. As of right now, I have these addresses
blocked out of my input stream, so tehy can spam away. In fact, they
have been most of the afternoon.. (grin).
chuq
--
Chuq Von Rospach (chuq@apple.com) Apple IS&T Mail List Gnome
<http://www.solutions.apple.com/>
Plaidworks Consulting (chuqui@plaidworks.com) <http://www.plaidworks.com/>
(<http://www.plaidworks.com/hockey/> +-+ The home for Hockey on the net)
Follow-Ups:
|
|
