fuck me harder (computers)
Apr. 22nd, 2008 10:40 pmMy server, on which i host my domains, as well as
klingonlandladys, is currently the target of a massive botnet spam
run. Today, just shy of 3000 compromised machines have been connecting to "KLs.corporate.domain.name", and trying to send their stupid spam to hundreds of thousands of seemingly computer-generated mail addresses, hoping to find one that doesn't hand them
a "450 Go Away" no such user error. What The Fuck? Here's a sample list of usernames tried:
Fbalinese@
+._-8departure@
+._-Pbois@
bincubus@
5woodpeck@
Vdeparture@
Ssusceptible@
Ljust@
Gcervix@
Lpneumatic@
canxious@
rceremonial@
Nminestrone@
Ddeacon@
bminestrone@
7fingernail@
Jimperial@
aevenhanded@
Qetymology@
Orecurrent@
Tgraph@
Fquadrille@
Mmidway@
squadrille@
jmailbox@
mmantle@
Vbraniff@
+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-efingernail@ <--- really! Yow on a stick!
Again, WTF? "Gcervix"? OK, stupid botnet is doing
for (i = 'A'; i < 'z')
for (str =)
SPAM ("%c%s@mypostfixbox", i, str);
WHY? What are they actually trying to do?
In the meantime, until this stops, (tcpdump is showing me a wonderful display of botnet IPaddrs being rejected at the moment)
i've disabled Postfix on my machine, if for no other reason than i don't have infinite space in /var, and maybe after a day or
so of not seeing a mail server, it will go away and hit someone else. If you need to send me email, use my gmail address until
further notice.
Edit 1:
both "6teratology@" AND "+._-6teratology@" show up. This has got to be a bug in the botnet code.
And many of the machines repeatedly try an address that they already got a 450 in response to! But
not all of them. So there are at least two separate versions of this one out there.
Many of the addresses are tried by hundreds of different machines. Somehow i'd expect much smarter
behavior from the damned bots.
Edit 2:
Fascinating. I was mistaken about the number of addresses tried. while there were over 300,000
connection attempts, only 835 distinct addresses were tried. This is definitely somebodies completely
*failed* attempt to make the botnet do something useful. It's not only wasting *my* time, but it's
wasting the Russian Mobs time too. Oy.
Edit 2a:
Most of the machines that appear to be repeatedly attempting the same addresses over map to largish companies and ISPs, and appear to be their main outgoing mail relay for their internal network. Well. I guess we know just how well the strategy of "Block Port 25 Outgoing and force everyone to send through The Approved Mail Gateway" really works. Sigh.
![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
run. Today, just shy of 3000 compromised machines have been connecting to "KLs.corporate.domain.name", and trying to send their stupid spam to hundreds of thousands of seemingly computer-generated mail addresses, hoping to find one that doesn't hand them
a "450 Go Away" no such user error. What The Fuck? Here's a sample list of usernames tried:
Fbalinese@
+._-8departure@
+._-Pbois@
bincubus@
5woodpeck@
Vdeparture@
Ssusceptible@
Ljust@
Gcervix@
Lpneumatic@
canxious@
rceremonial@
Nminestrone@
Ddeacon@
bminestrone@
7fingernail@
Jimperial@
aevenhanded@
Qetymology@
Orecurrent@
Tgraph@
Fquadrille@
Mmidway@
squadrille@
jmailbox@
mmantle@
Vbraniff@
+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-+._-efingernail@ <--- really! Yow on a stick!
Again, WTF? "Gcervix"? OK, stupid botnet is doing
for (i = 'A'; i < 'z')
for (str =
SPAM ("%c%s@mypostfixbox", i, str);
WHY? What are they actually trying to do?
In the meantime, until this stops, (tcpdump is showing me a wonderful display of botnet IPaddrs being rejected at the moment)
i've disabled Postfix on my machine, if for no other reason than i don't have infinite space in /var, and maybe after a day or
so of not seeing a mail server, it will go away and hit someone else. If you need to send me email, use my gmail address until
further notice.
Edit 1:
both "6teratology@" AND "+._-6teratology@" show up. This has got to be a bug in the botnet code.
And many of the machines repeatedly try an address that they already got a 450 in response to! But
not all of them. So there are at least two separate versions of this one out there.
Many of the addresses are tried by hundreds of different machines. Somehow i'd expect much smarter
behavior from the damned bots.
Edit 2:
Fascinating. I was mistaken about the number of addresses tried. while there were over 300,000
connection attempts, only 835 distinct addresses were tried. This is definitely somebodies completely
*failed* attempt to make the botnet do something useful. It's not only wasting *my* time, but it's
wasting the Russian Mobs time too. Oy.
Edit 2a:
Most of the machines that appear to be repeatedly attempting the same addresses over map to largish companies and ISPs, and appear to be their main outgoing mail relay for their internal network. Well. I guess we know just how well the strategy of "Block Port 25 Outgoing and force everyone to send through The Approved Mail Gateway" really works. Sigh.