Jump to content
Sign in to follow this  
machine1

Mailbombing detection and prevention

Recommended Posts

Five thousand identical spams from one IP address. I did close examination of the spam looking for hidden differences including a binary checksum of the message and they were indeed identical other than the timestamp. It doesn't matter what the spam was about or what network it came from.

This happened to me about six months ago and again a couple weeks ago. It took me several hours to go through and slam the spam each time.

The parser takes a rather detailed look at the headers, why can't it detect exact duplicates in the "Subject" line, and instead of forcing me to report or delete all of the thousands of duplicates, just provide ONE copy for examination and add "4,995 identical found." and give you a delete/report all button?

I know I probably ticked off some spammer big time, because 5,000 identical spams all from the same IP and all timestamped within a 4 hour period isn't an accident, except the first time. (Well, maybe a real stupid spammer that hasn't figured out how to configure their software..)

Share this post


Link to post
Share on other sites
The parser takes a rather detailed look at the headers, why can't it detect exact duplicates in the "Subject" line, and instead of forcing me to report or delete all of the thousands of duplicates, just provide ONE copy for examination and add "4,995 identical found." and give you a delete/report all button?
...Beyond the scope of the tool and to minimize the amount of time the parser spends on any one spam (it processes many spam per second), is my guess. Why not submit only one of the 4,995 identical spams to the parser? IIUC, it does no good for a single user to submit more than one.

Share this post


Link to post
Share on other sites
The parser takes a rather detailed look at the headers, why can't it detect exact duplicates in the "Subject" line, and instead of forcing me to report or delete all of the thousands of duplicates, just provide ONE copy for examination and add "4,995 identical found." and give you a delete/report all button?

The parser doesn't do those kinds of comparisons, I'll easily say 'never will' ...

On the other hand, if one was to assume that the Report was actually going to be read by the abuse person, then this is where the "Notes:" boxes come into play. Add your "identical spam" comments to the appropriate Notes: box.

IIUC, it does no good for a single user to submit more than one.

Multiple submittals from 'one' user should not get the IP Address listed in the SpamCopDNSBL. However, each submittal adds a count for the mathmatical equation involved in getting the IP Address listed and the time before de-listing. Remember, it's the ratio of 'good' e-mail traffic (i.e. non-reported) and the reported bad e-mail that feeds into a SpamCopNSBL listing.

Share this post


Link to post
Share on other sites

This is where IMHO a manual report to the abuse desk with a copy to an upstream might be in order - if there is any chance that the server admin would be responsive. Even a spam friendly server admin might think that there was a problem. OTOH, identical email should be easy to filter - the OP doesn't say what kind of spam filtering he uses. If he is an end user, even deleting 5000 email would be a chore.

However, the spamcop parser is not designed to report stupidity or maliciousness like this so a manual report is probably best.

Miss Betsy

Share this post


Link to post
Share on other sites

Thanks to everyone for their thoughts and information.

Normally I get 100-150 spams a day in my held email folder. It's shocking to get to the bottom of the first page and see "5,216 remaining" staring you in the face, and when you report them and get to the bottom of the next page and it says "5,384 remaining" you realize it's mailbombing or newbie spammer with a broken software configuration. It does take a while deleting or reporting using the web interface, about 2.5 minutes for each page of 100. Switching to webmail goes much faster.

I DID call the ISP of the last attack, during the attack. After three transfers and about two minutes on hold listening to distorted classical music (Bach, I believe..) I got their 'Security desk.' I explained my plight, told him the IP address and he said "That customer account will be suspended within the hour. Thank you." and he hung up. What else can you ask for?

I do report all of them so the IP add'y statistics get pushed up, and thankfully SC aggregates and doesn't mailbomb some poor admin trying to keep up.

Share this post


Link to post
Share on other sites
thankfully SC aggregates

This would be news to me. The only documented 'aggregation' I can think of is the results for an ISP Account (which turns out to not be so directly helpful for a lot of folks.) A spam sumittal, parse, result analysis, and a click on the Send/Submit button is 'one Report' .. one statistic against the source IP Address.

Share this post


Link to post
Share on other sites

I am glad someone listened to you when you called the ISP! And, it does illustrate why sometimes a manual report or phone call is better than a spamcop report. As Wazoo says, unless the ISP has spamcop reports turned off, they will be getting every one of those reports! Also, points out that ISPs who normally don't have reports /should/ pay attention if they get them! Usually, those who are careful about spammers would have prevented them. But those ISPs don't pay attention to spamcop reports because, too often, they are reporter mistakes. You would think that hundreds of spamcop reports would set off an alarm...

Anyway, IMHO, my advice to manually report 'mailbombing' for whatever reason is good. Even ISPs who don't ordinarily pay attention to spamcop reports will pay attention if you send a manual report or, better yet, contact them via phone. I haven't had any contact with spammers for a long time, but, in general, they don't want reporters so are willing to accommodate you if you complain directly. The diehard anti-spammer doesn't like the idea of being listwashed, but particularly if you are an end user, it doesn't make much difference in the total spam count.

Miss Betsy

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×