Re: Spamming virus

[Eugene Crosser <crosser@rol.ru>]

Matti, you are back?  How was your marine trip?

As you are back, I'll be sending my patch to make
max-same-ip-connections controllable from policy today.

On Thu, 2003-08-07 at 18:00, Matti Aarnio wrote:

> > did anyone notice a new spamming technology that appeared about a week
> > ago, when you suddenly get the same spam message from hundreds different
> > machines around the world, apparently infected home PCs on cable, DSL
> > and dialup connections?  Any information / known protection?
> 
> Same one from hundreds of different systems ?
> That is odd..  Denial-of-service type behaviour, I would say.

Apparently they build a similar underground network, this time for
spamming.  Like previous DoS things, this one is centrally controlled -
all machines start sending the same message at the same time.

> Having connection quotas (number of connections) limited by network-
> classes might help -- from our customers: N, from elsewere: M

Nope.  Involved machines are sparsely distributed around the world.

> There is no code at present to make that happen.  Moving smtp connection
> policy initialization and address testing into the accept() server program
> could give you this classification capability.  When the classifier then
> notes that there are way too many connections from a given class of
> network(s) (like outside our own clients), present-like limitter algorithms
> can kick the excessive connection(s) away.
> 
> > It nearly killed our system before I made a quick and dirty hack to
> > block those...
> > 
> > Eugene
-- 
Eugene Crosser, head of Internet Applications section, +7 501 787 1000
ROL, EDN Sovintel, Golden Telecom, http://user.rol.ru/~crosser/

-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi