Home DNS Service Mail Service Web Service Logout
Message Center Public Forum DollarDNS News Options
DollarDNS News | Topic
Welcome Guest!
Purely for your entertainment: A strange kind of spam attack
Dave Clark
Administrator
Created Mar 15, 2006 11:44
Well it seems somebody is trying to send emails to all letter combinations at my domain. So for example they start at a(a)dollardns.net and go up to z(a)dollardns.net then start with aa(a)dollardns.net and end up to zz(a)dollardns.net and then aaa(a)dollardns.net up to gnz(a)dollardns.net before I shut them down at the firewall. That is nearly five thousand emails that I started to see build up almost immediately since I have outlook express checking my email every 5 minutes. I don't know what the guy was thinking. btw, I would've recieved another 13,000 emails if this guy got as far as zzz(a)dollardns.net.

Here's some information about the attacker:

Sender IP: 84.137.161.118 (p5489a176.dip0.t-ipconnect.de) (A german DSL user)
Pretending to be: mx4.hotmail.com
Bounce messages sent to: <RandomAddress>@hotmail.com
From: jar212@netscape.net
Subject: From Jon Aristide, <RandomTag>
Date start: Sunday, March 19, 2006 10:14 AM EST
Date blocked: Sunday, March 19, 2006 10:25 AM EST
ISP: http://whois.dollardns.net/ip.pl?query=84.137.161.118

That whois link gives me abuse contact information. Guess what? I've used it. I think somebody is gonna lose their internet connection. Course, there is a possibility that a hacker is sending the emails through that german victim, but you know what? The internet is a happier place without stupid people.


Dave Clark [email] [irc chat]
DollarDNS Services

Erwin
Member
Created Mar 24, 2006 16:17
Now... One does wonder, why do (did?) you even have catch-all enabled on your mail server?

Dave Clark
Administrator
Created Mar 28, 2006 09:17
Cause I use custom email addresses. If I sign up for an account on www.homerdancedoh.com then I will use the email address homerdancedoh(a)dollardns.net.

It is fortunate that I had a catch-all in another respect. Without a catchall the attack would've become 3 times as bad. Cause instead of just recieving all of these emails, I would've been bouncing them. Then since the from address is invalid, they would've been double bounced back to my server. Most alarmingly, I probably wouldn't have noticed until my mail server started to get really really slow.


Dave Clark [email] [irc chat]
DollarDNS Services

scsnuser
Member
Created Mar 28, 2006 15:52
Dave,

Often, these attacks arnt dont on purpose.

It was likely a zombie computer, I doubt the guys internet connection will be taken away. This is why most ISPs block mail from dynamic addresses.

Dave Clark
Administrator
Created Mar 29, 2006 09:16
Yes, I mentioned this was a possibility in my initial post. Whether it was intentional by the user or if they are zombified, they need to be stopped.

I'm just speculating by the taking away of the internet connection. Maybe they'll just be warned and if they get reported again it will be taken away. *shrug* I don't know how ISP's deal with abuse sent from customer machines. Suredly the ISP has something in mind considering how they've gone through the trouble of setting up an abuse report webform.


Dave Clark [email] [irc chat]
DollarDNS Services