Russian Spam Activity

[forrie]

I've noticed over the last few months a slurry of different servers, mostly *.ru oriented, that connect to my system port 25 repeatedly; though, at times they don't exchange any traffic.

I block them, and more show up. It's a repeated pattern.

I wonder if this is connected with botnet spamming traffic, at some level. And certainly, I'm curious if someone else has noticed this and may have more information about what's going on.

It makes me cringe to think there are that many compromised systems ;-)

Thanks.

[Wazoo]

With no traffic being passed, I'd say that you are not talking about botnet traffic (yet)

What is more likely, for some reason, one of the .ru guys/girls found your server 'interesting' for some reason, it has probably been placed on a list somewhere, and that next level of wanna-be types is busy checking out the contents of that list ..... Other systems may be simply scanning, using those lists for new targets ...

What you are describing to me isn't all that much different than looking at the access logs and viewing all the login attempts to the server from around the world, looking for a weak password on an account name found within their dictionary type lists of account names to try ....

now if you see one that actually manages to start passing data, generating outgoing e-mails (or worse, misdirected bouces) ... then I suspect you'd be talking an actual series of botnet connections ....

[forrie]

Yes, there are some that actually get through, but most are blocked by an RBL or whatnot.

But they are all hosts that appear in DNS as smtp relays for different companies. Probably not even legitimate (ie: squatted for spamming purposes).

*shrug*

I just thought it was odd; I sit here and watch the output of "trafshow" and I see all these *.ru hosts connecting.

I mean, this is just a cablemodem host - and I'm flattered they think it's interesting ;-) I will just keep blocking them.

heh.

_F

[forrie]

I'm surprised there's not more interest in this topic here.

Over the last few months, I've been making some observations. Here's what I'm seeing:

1) a deluge of SMTP probes from (predominantly) Russian IP space, usually they stand there waiting for an SMTP reply, or they try to test the address "info[at]yourdomain.com", then exit.

2) during which time, on onslaught of spam comes in from botnets (blocked by RBLs most of them).

3) when I explicitly block the /24 space of the probes, the spam ceases.

This appears to be efficient use of their available botnet bandwidth, whereby they only begin sending spam to the sites that are actually responding to SMTP traffic.

I'm utterly amazed at the numbers of apparently compromised hosts coming from Russia. There are enough that I wonder if the Russian mafia is somehow involved. Some of these machines are NS's, MTA's, and who knows. I wonder if these companies are being pressured into permitting access... otherwise a very sophisticated virus/worm?

Anyone have other theories and observations on this.

My next step is going to be blocking the entire GeoIP space of Russia, unfortunately... mostly because my system doesn't exchange mail directly there anyhow.

_F

[forrie]

See this topic for my observations:

http://forum.spamcop.net/forums/index.php?showtopic=7470

I'd be curious if anyone else is honing in on this garbage.

[Wazoo]

See this topic for my observations:

This post has nothing to do with "SpamCop.net E-Mail Account Set-up" .. so moved out of that Forum section, merged into the existing Topic 'here' .... technically, probablu would have made more sense to simply delete it, but .....