Folks,
I'm receiving about 25K spams per minute with this subject:
They randomize the name on the subject line. Is this any particular
virus/malware/zombie signature and any suggestion on how to defend
against it besides what I'm already doing (which is all of the
obvious, rbls, spam appliances, hot cocoa, etc.)?
This happened right around the time I started securing the name server
infrastructure with BIND upgrades and recursor/authoritative NS
splitting. 
Best,
Marty
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
They randomize the name on the subject line. Is this any particular
virus/malware/zombie signature and any suggestion on how to defend
against it besides what I'm already doing (which is all of the
obvious, rbls, spam appliances, hot cocoa, etc.)?This happened right around the time I started securing the name server
infrastructure with BIND upgrades and recursor/authoritative NS
splitting.
RBLs are only effective against perhaps 50% of spam traffic, because
so much of it comes from never-seen-before zombies. What appliances
are you running? You might want to look at some kind of edge email
traffic shaping layer.
Regards,
Ken
- --
Ken Simpson
CEO, MailChannels
Fax: +1 604 677 6320
Web: http://mailchannels.com
MailChannels - Reliable Email Delivery (tm)
Did you check the source IP in the headers? My logs show that they are
coming from a buncha residential IP addresses so its prolly a bot
network doing it. Most of the messages going through our servers with
that have the domain lifeleaksfromyo.com in it which is causing the
messages to fail in our servers. You can always try the rbl that lists a
lot of residential IP's in it...i think it's the PBL from spamhaus. That
would help limit it, and blocking emails with the domain
lifeleaksfromyo.com.... Other then that I'm out of ideas. What spam
appliance are you using?
Raymond Corbin
HostMySite.com
877.215.4678
So that 'Curtis Blackman' is the only one getting SMTP through to Martin and his customers?
;>
Assuming nothing in the header which could be blocked by S/RTBH or ACLs (or a QoS policy), some of the various DDoS scrubbers available from different vendors may be able to deal with this via the anomalous TCP rates associated with these streams of spam, and/or regexp.
Raymond, all:
Thanks for all the responses, public and private. I did, and am,
watching the sources. It's uninteresting in terms of capability to act
since it's spread out pretty widely and it's obviously difficult to
tell what will and will not cause collateral damage.
I'll capture some source traffic and put it out on the web for all the
researches that replied looking for sample data. I think I can
probably pcap something that won't violate any privacy laws where this
is. In the meantime, here's some sources that are in the top tier of
connections:
3215 | 86.195.231.168 | AS3215 France Telecom - Orange
3269 | 87.19.141.208 | ASN-IBSNAZ TELECOM ITALIA
3320 | 84.148.13.150 | DTAG Deutsche Telekom AG
3320 | 84.148.13.150 | DTAG Deutsche Telekom AG
3320 | 84.148.13.150 | DTAG Deutsche Telekom AG
3320 | 84.148.13.150 | DTAG Deutsche Telekom AG
6746 | 89.136.159.120 | ASTRAL ASTRAL Telecom SA, Romania
7132 | 67.120.22.10 | SBIS-AS - AT&T Internet Services
9121 | 78.180.16.161 | TTNET TTnet Autonomous System
9121 | 85.108.127.90 | TTNET TTnet Autonomous System
9121 | 85.108.127.90 | TTNET TTnet Autonomous System
9121 | 85.108.127.90 | TTNET TTnet Autonomous System
10796 | 71.79.216.254 | SCRR-10796 - Road Runner HoldCo LLC
10796 | 71.79.216.254 | SCRR-10796 - Road Runner HoldCo LLC
19262 | 71.254.34.123 | VZGNI-TRANSIT - Verizon Internet Services Inc.
22773 | 64.58.163.237 | CCINET-2 - Cox Communications Inc.
25041 | 91.125.42.251 | BRIGHTVIEW-UK-AS Brightview Internet Services AS
35911 | 24.212.10.244 | BNQ-1 - Telebec
35911 | 24.212.10.244 | BNQ-1 - Telebec
They randomize the name on the subject line. Is this any particular
virus/malware/zombie signature
Nothing particularly new. The Bots have been pumping this one out
for at least a month, although the subject line has a few variations
besides just changing the name. I guess they just finally got around
to you.
and any suggestion on how to defend
against it besides what I'm already doing (which is all of the
obvious, rbls, spam appliances, hot cocoa, etc.)?
See all the previous mail threads about ISPs not doing anything 
Stop the bots on your networks; work with people to stop the bots
on other networks; work with law enforcement to put the criminals
in prison.
In the mean time, continue to spend on resources to mail servers,
security appliances, and more blacklists.
I'm seeing 80%-90% of spam blocked by the Spamhaus ZEN list, which
includes the PBL for blocking home computers, infected or not.
Tony.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> RBLs are only effective against perhaps 50% of spam traffic, because
> so much of it comes from never-seen-before zombies.I'm seeing 80%-90% of spam blocked by the Spamhaus ZEN list, which
includes the PBL for blocking home computers, infected or not.
Sorry, should have added, "Your Results May Vary"
Raymond L. Corbin wrote:
messages to fail in our servers. You can always try the rbl that lists a
lot of residential IP's in it...i think it's the PBL from spamhaus. That
would help limit it, and blocking emails with the domain
You'd have better luck with SORBS DUHL if you don't want to pay for Spamhaus data. (a peak of 192 messages/minute and an average of 4 messages per minute were considered excessive enough for my DSL's to be blocked by Spamhaus). I would also suggest NJABL as it used to list dynamics, except it is not listing just dynamics now, and it has merged into Spamhaus as the PBL. Of course Trend are now running what was MAPS, which is another pay for service which is also useful.
Regards,
Mat