At around 3:21pm US/Eastern on November 4, 2007, a zombie botnet began a dictionary spam attack against one of the domains I host.
zombie botnet — a group of PCs that have been broken into by a hacker and turned into “zombies,” i.e., PCs over which the hacker now has control, so that he can tell them to do things like send out spam on his behalf.
dictionary spam attack — an attempt to deliver spam to legitimate users at a particular domain by attempting to send email to many different addresses within the domain in the hope that some of them will be valid.
I knew this was happening because the log monitor I run on my mail server began reporting many “User unknown” mail delivery failures for this domain every minute.
If this has been a typical dictionary spam attack coming from a single host, it would have been quickly blocked by my fail2ban configuration, which temporarily bans any host which attempts a few failed SMTP deliveries within a short period of time. However, since the delivery attempts were coming from many different IP addresses all over the world, fail2ban was powerless to stop them.
When I realized what was going on, I wrote a script to block all the IP addresses from which invalid deliveries to the domain had been attempted, and I set up the script to run frequently to block any new IP addresses that turned up.
The attack continued until around midnight, i.e., for over eight hours. During that time, I saw failed delivery attempts from 3,025 different IP addresses, along with 815 delivery attempts from IP addresses that I had already blocked.
At this point, I have two outstanding questions about this attack:
- Was it really a dictionary spam attack, or was it actually a denial-of-service attack of some sort? I consider the latter a possibility because the email addresses to which delivery was attempted during the attack simply do not look like email addresses that someone would guess if they were seriously trying to get email through to a domain. Here are some examples of the addresses that were attempted: Lundberghrpor, Lanhamypxg, zsgohuwrhykr, CLIFFORDforonda, Lange, ThreeRiojas, Witold-Johannesen, birtlesioiis, Djurkovicnyqz, NevenHeinritz.
- Is there anything productive I can do with the list I now have of the IP addresses over 3,000 compromised PCs? Is there a site somewhere to which I can submit the list that will notify the appropriate network service providers about compromised PCs on their networks? Is there any point in doing that? I suppose I could write a script to run “whois” on each of the IP addresses, try to parse out the contact email addresses, and send a form letter to those addresses, but (a) I don’t really have the time, and (b) I believe that multiple whois queries from a single host are throttled, so it would take me an awful long time to get through them all.
It turns out that this probably wasn’t a dictionary spam attack, but rather was probably outscatter from spam sent to other domains.
OK, I just filed a complaint at the NCFTA Web site. Don’t know if anything will come of it. If you think your FBI friend would actually be interested in this, feel free to send him my way.
Provide them to the NCFTA, which is conglomeration of federal government law enforcement and private industry tracking and cuting down on criminal activity. If you like, let me know and I will put you in touch with an FBI friend there.
Do any of the addresses fall more or less into range?
They’re in over 2,000 different class C’s, 1,700 different class B’s, and 118 diferent class A’s, so clearly they’re scattered all over the place.
My sympathies — I’ve had that happen on our site recently, too. Do any of the addresses fall more or less into range? I’d just block the addresses forever, but that’s me…
If you do find something better to do with the compromised addresses, I’d appreciate hearing about it. Sending letters to the address owners would take an awfully long time, and probably not accomplish much. That’s just my $.02, I’m not a zombie PC owner and I don’t play one on TV…