On 31 Aug 2007, at 13:44, Chris Edwards wrote:
> Do you find the same zombie IPs re-connecting sufficiently often to
> make this worthwhile ? Or is there an effectively infinite pool of
> zombies, each only connecting once ?
In this particular case, they were - in fact they were even opening
multiple simultaneous connections (until I dropped
smtp_accept_max_per_host from 4 to 1 for off-net hosts) and re-
connecting quite aggressively each time a connection was timed out.
This, from numerous (dozens, certainly) different IP addresses to
multiple mail servers on our side. After I made those changes, the
number of concurrent connections began to drop down from being nailed
up to the limit as it had been since the attack started, allowing
legitimate emails to get through.
That said, it does seem a rather ineffective way to send spam - very
few of the connections got as far as even attempting to send a
message, certainly no more than one or two per hour, per attacking
IP. Hopefully they'll stop using that particular code when it proves
to be unprofitable (although I can assure you that I'd prefer a much
worse fate for the spammers than mere lack of profit...)
mrj
--
Mark Rigby-Jones, System Operations Manager
CI-Net, Network House, Langford Locks, Kidlington, OX5 1GA
CI-Net is the trading name for Community Internet plc
A company registered in England and Wales number 3155758
t: 01865 856009 m: 07747 862201 e: mark.rigby-jones@???
w:
www.ci-net.com
