A little story about spam

[Vulcan]

I figured I'd share this as there are some people interested in security etc and what goes on out on the net.

A month or so back one of our resellers won a tender for a mid-range firewall (Sonicwall Pro 3060). The site is a new site hosting multiple small sports orientated organisations. The parent 'company' already uses our product in other locations. They installed the firewall about two weeks ago.

Anyhoo last week one of these smaller org's moved in and brought their IT inhouse, including their email. On Monday morning I get a call from the reseller, their mail traffic has gone through the roof, and the exchange box is dying under the pressure. They're doing 8Gb to 12Gb in email traffic a day. It happens I have an eval box just returned to me of a Sonicwall ES-300, mail security appliance.

So I get it out to the site tuesday morning, takes about 15 mins to configure and they we redirect the mail traffic through the ES-300. Immediately the CPU maxes out at 100%. The thing is processing so much spam that initial reports show a 3000:8 bad to good email ratio.

Come thursday morning the reseller calls me with some issues still. So we login remotely, by this time they'd installed the sonicwall reporting software for the firewall (viewpoint). These guys have a 10Mbps connection. The good news is they're down to 40Mb of email traffic an hour according to viewpoint. The bad news is they're still getting 8000-14000 DHA attacks PER HOUR. I was expecting this, when a spam botnet points at you it takes about a week for it to learn you're no longer a 'soft target' and back off.

I drill down into viewpoint, as at 10am on Thursday morning there had been just shy of 100,000 different IP's trying to send them email remember this is only the first 10 hours of the day). They were receiving between 100-200 email connections per minute. There were also some attacks being directed at the mail server which the 3060 was happily nuking.

This poor little site is getting hammered by a spam botnet. The ES-300 is doing a great job, but we decided to take some load of it buy blocking the entire Chinese and Russian subnet ranges for a week (they can't block permanently due to the olympics coming up). But I figure it'll take a week for the spam botnet to back off (I've seen this before).

[Mustaine]

I'm amazed they didn't end up on a BL...

I inherited a jerry-rigged network with some oddball NAT rules and over 75 separate packet filter rules... but the guy didn't block SMTP from VPN connections (we have 6 permanent VPN's from various places in the US). Turns out the guy in California got himself a little trojan and without the rules watching / blocking outbound SMTP from VPN clients he was able to in a matter of hours get our IP on every major BL I could find on mxtoolbox.

I was able to kill his access and clean the machine, but the damage was done in a matter of hours. this was 2 weeks ago and we are still clearing out the BL's though, I have 2 left that still won't allow SMTP traffic, both belonging to ATT (who our MIS is through for cripes sake)

beware the spam IT folks, it is the bane of the internet.

[Getback]

I noticed recently I am getting tracking objects by the boat load.  Last time adaware caught 96 items. I usually clean about every 2 weeks. Anything I can do to stop or slow it down?

[OOZ662]

You could always set your browser to ask you before allowing a cookie. IIRC Firefox will remember your choices...but I'm too tired to look at the moment.

Firefox has the ability to set exceptions, so you can block the ones that dump a bunch like doubleclick.

[Vulcan]

I'm amazed they didn't end up on a BL...

It wasn't outbound, it was inbound.

[NHawk]

.....This poor little site is getting hammered by a spam botnet. The ES-300 is doing a great job, but we decided to take some load of it buy blocking the entire Chinese and Russian subnet ranges for a week (they can't block permanently due to the olympics coming up). But I figure it'll take a week for the spam botnet to back off (I've seen this before).

Vulcan, since we don't do business overseas I block everything outside of North America on port 25.

For a while, our server was processing 120,000 spam email's a day. Even rejecting them was putting a heavy load on the server and most spammers ignore 5xx errors anyway.

We're down to 2 spams a week now.

[Mustaine]

It wasn't outbound, it was inbound.

doh, was having a few beers and misread that lol.