At around 3:21pm US/Eastern on November 4, 2007, a zombie botnet began a dictionary spam attack against one of the domains I host.
zombie botnet — a group of PCs that have been broken into by a hacker and turned into “zombies,” i.e., PCs over which the hacker now has control, so that he can tell them to do things like send out spam on his behalf.
dictionary spam attack — an attempt to deliver spam to legitimate users at a particular domain by attempting to send email to many different addresses within the domain in the hope that some of them will be valid.
I knew this was happening because the log monitor I run on my mail server began reporting many “User unknown” mail delivery failures for this domain every minute.
If this has been a typical dictionary spam attack coming from a single host, it would have been quickly blocked by my fail2ban configuration, which temporarily bans any host which attempts a few failed SMTP deliveries within a short period of time. However, since the delivery attempts were coming from many different IP addresses all over the world, fail2ban was powerless to stop them.
When I realized what was going on, I wrote a script to block all the IP addresses from which invalid deliveries to the domain had been attempted, and I set up the script to run frequently to block any new IP addresses that turned up.
The attack continued until around midnight, i.e., for over eight hours. During that time, I saw failed delivery attempts from 3,025 different IP addresses, along with 815 delivery attempts from IP addresses that I had already blocked.
At this point, I have two outstanding questions about this attack:
- Was it really a dictionary spam attack, or was it actually a denial-of-service attack of some sort? I consider the latter a possibility because the email addresses to which delivery was attempted during the attack simply do not look like email addresses that someone would guess if they were seriously trying to get email through to a domain. Here are some examples of the addresses that were attempted: Lundberghrpor, Lanhamypxg, zsgohuwrhykr, CLIFFORDforonda, Lange, ThreeRiojas, Witold-Johannesen, birtlesioiis, Djurkovicnyqz, NevenHeinritz.
- Is there anything productive I can do with the list I now have of the IP addresses over 3,000 compromised PCs? Is there a site somewhere to which I can submit the list that will notify the appropriate network service providers about compromised PCs on their networks? Is there any point in doing that? I suppose I could write a script to run “whois” on each of the IP addresses, try to parse out the contact email addresses, and send a form letter to those addresses, but (a) I don’t really have the time, and (b) I believe that multiple whois queries from a single host are throttled, so it would take me an awful long time to get through them all.