frobzwiththingz: (Default)
My server, on which i host my domains, as well as [livejournal.com profile] klingonlandladys, is currently the target of a massive botnet spam
run. Today, just shy of 3000 compromised machines have been connecting to "KLs.corporate.domain.name", and trying to send their stupid spam to hundreds of thousands of seemingly computer-generated mail addresses, hoping to find one that doesn't hand them
a "450 Go Away" no such user error. What The Fuck? Here's a sample list of usernames tried:

Fbalinese@
+._-8departure@
+._-Pbois@
bincubus@
5woodpeck@
Vdeparture@
Ssusceptible@
Ljust@
Gcervix@
Lpneumatic@
canxious@
rceremonial@
Nminestrone@
Ddeacon@
bminestrone@
7fingernail@
Jimperial@
aevenhanded@
Qetymology@
Orecurrent@
Tgraph@
Fquadrille@
Mmidway@
squadrille@
jmailbox@
mmantle@
Vbraniff@
+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-efingernail@ <--- really! Yow on a stick!


Again, WTF? "Gcervix"? OK, stupid botnet is doing
for (i = 'A'; i < 'z')
for (str = )
SPAM ("%c%s@mypostfixbox", i, str);

WHY? What are they actually trying to do?

In the meantime, until this stops, (tcpdump is showing me a wonderful display of botnet IPaddrs being rejected at the moment)
i've disabled Postfix on my machine, if for no other reason than i don't have infinite space in /var, and maybe after a day or
so of not seeing a mail server, it will go away and hit someone else. If you need to send me email, use my gmail address until
further notice.

Edit 1:
both "6teratology@" AND "+._-6teratology@" show up. This has got to be a bug in the botnet code.
And many of the machines repeatedly try an address that they already got a 450 in response to! But
not all of them. So there are at least two separate versions of this one out there.
Many of the addresses are tried by hundreds of different machines. Somehow i'd expect much smarter
behavior from the damned bots.

Edit 2:
Fascinating. I was mistaken about the number of addresses tried. while there were over 300,000
connection attempts, only 835 distinct addresses were tried. This is definitely somebodies completely
*failed* attempt to make the botnet do something useful. It's not only wasting *my* time, but it's
wasting the Russian Mobs time too. Oy.

Edit 2a:
Most of the machines that appear to be repeatedly attempting the same addresses over map to largish companies and ISPs, and appear to be their main outgoing mail relay for their internal network. Well. I guess we know just how well the strategy of "Block Port 25 Outgoing and force everyone to send through The Approved Mail Gateway" really works. Sigh.

July 2017

S M T W T F S
      1
2345678
9 101112131415
16171819202122
23242526272829
3031     

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 21st, 2017 10:48 am
Powered by Dreamwidth Studios