Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-08-11 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Email DoS Storms running wild

Published: 2007-08-11
Last Updated: 2007-08-11 14:47:04 UTC
by Tony Carothers (Version: 1)
0 comment(s)

Some of our friends in Canada have been pounded, since yesterday AM, by a series of emails from a number of destinations.  It is quite clear these destinations are spoofed, this much we can be sure of.  The TO line presents a very interesting look into the misunderstanding, or misinterpretation of our language, by people not from North America.  One of our Handlers, Donald S., took a hard look at what is going on, and found some of the names being seen are...

MattiequartermasterSterling
LindseyswitzerlandRichie
AdamicrographyHelton
AdaanodicSorensen
OlgaprototypicHo
BethflubMccabe
LindseydiscoveryBurrell
BrandipreviousSutherland
MallorybrimstoneNava
sabrinaheadquartersingh
LetitiasorghumGold

So it is somewhat apparent that the level of understanding of the English language may not be quite where it needs to be.  Another Handler, Bojan Z., has this tip for protecting a mail server:

"E-mails for non-existent users should be rejected at your MX server. This rejection should happen during the SMTP session (in other words - don't put Exchange there), right after your server received the RCPT TO: command. If everything is configured properly you will not see the e-mail at all. Also, this is very "cheap" for your server - a decent server should be able to reject hundreds of these per *second*."

Add to this that another reader reported a major Spam outbreak about 9PM EST yesterday, this one also apparently from somewhere in Asia.  This one goes to great lengths to avoid the Spam filters, with wording that looks like

".... <h>[a][v][e] alread-y {s}<e>(e)[n] CYTV#'s m^arket i_mpact bef+ore c#limbin`g to  ...."

So we ask of you, our readers, to share any experiences you may be having, where similar events are occuring in your area, and we'll see what we can do to contact the right people and get this stopped at the source.

Keywords:
0 comment(s)
Diary Archives