Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Spam Attack
  FAQ FAQ  Forum Search   Register Register  Login Login

Spam Attack

 Post Reply Post Reply
Author
ITI Computers View Drop Down
Newbie
Newbie


Joined: 12 June 2008
Status: Offline
Points: 12
Post Options Post Options   Thanks (0) Thanks(0)   Quote ITI Computers Quote  Post ReplyReply Direct Link To This Post Topic: Spam Attack
    Posted: 04 November 2010 at 12:30pm
Hello,
 
We are seeing hundreds of connection attempts per minute to one of our domains APS2000.com, this has been going on for quite a while. I would like to know if there is anything I can do to stop these connections. I have a log file that I have zipped up but it is 33.5 MB. How do you want me to send it to you?
ITI Computers
Web Design and Hosting
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 272
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 04 November 2010 at 8:50pm
If the attack is coming from a limited number of addresses you could block them at your firewall.
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 04 November 2010 at 9:11pm
I've sent you a PM with the details on how to send us the file via FTP. As an FYI, SpamFilter has the following setting (which is enabled by default) that greatly helps preventing issues from such attacks:

Enable Cached IP Blocking - If an IP address sends more than a certain number of spam emails (3 by default) during a certain time interval (10 minutes by default), then it can be temporarily banned (blacklisted). All further connections from that IP address will be immediately rejected without allowing the sender to transmit any data. This should greatly reduce the load on the server. A banned IP address will be automatically removed from this temporary blacklist after a defined time interval (60 minutes by default). To prevent specific IPs to be added to this list, they can be added to DoNotAddIPToHoneypot SpamFilter.ini option.

Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
ITI Computers View Drop Down
Newbie
Newbie


Joined: 12 June 2008
Status: Offline
Points: 12
Post Options Post Options   Thanks (0) Thanks(0)   Quote ITI Computers Quote  Post ReplyReply Direct Link To This Post Posted: 08 November 2010 at 10:30am
Thanks for the reply. I have uploaded the file named ITIComputers20101102.zip to the FTP account you sent me. I will look at that configuration option you mentioned and see if that does anything to stop this attack in the meantime.
 
Thanks,
 
Bill Turner
ITI Computers
ITI Computers
Web Design and Hosting
Back to Top
ITI Computers View Drop Down
Newbie
Newbie


Joined: 12 June 2008
Status: Offline
Points: 12
Post Options Post Options   Thanks (0) Thanks(0)   Quote ITI Computers Quote  Post ReplyReply Direct Link To This Post Posted: 08 November 2010 at 10:38am
Just checked the settings and the Enable Cached IP Blocking is already turned on.
Any other ideas?
ITI Computers
Web Design and Hosting
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 08 November 2010 at 10:16pm
We received your log, and it was rather "unusual". Let me summarize what we see.

During the day your SpamFilter received 232,954 connections. Of these, there was a whopping (high/huge) number of 102,926 individual/unique IPs that attempted connections to SpamFilter. So each IP on average made just over 2 connections. This pretty much eliminates any single IP from sending large quantities of spam toward your network.
In addition, a very large number of connection attempts (91,830) was stopped in its tracks by the greylist filter, which prevented those connections from even attempting to send an email.

Over 83% of the emails in the logs were indeed sent to the aps2000.com domain, but depending on the domain's history and number of users when compared against the other domains you host, that could be normal.

We do see however that you have configured SpamFilter to tag spam instead of blocking it. Tagging spam emails as such and delivering them forces SpamFilter to accept the emails from the senders. If the email is accepted, the sender believes that the email is going to be delivered. So for all the spam emails you receive, to the senders (keep in mind these are mostly automated emails), when the spammers go back and analyze the statistics of their spam campaign, they will all result as in "good" spam emails, meaning they were all delivered. This will likely cause them to give a high reliability to the addresses they are spamming, causing the spam to increase. If you had configured SpamFilter to block such emails instead of tagging them and delivering them, hundreds of thousands of spam emails addressed to that domain would be blocked each week, making it a bit less likely that spam will be delivered to them in the future.
Do note however that if you start to stop such emails now, the change I described above would be very, very, very slow, as it will take months/years for the email databases spammers acquire to be updated.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
ITI Computers View Drop Down
Newbie
Newbie


Joined: 12 June 2008
Status: Offline
Points: 12
Post Options Post Options   Thanks (0) Thanks(0)   Quote ITI Computers Quote  Post ReplyReply Direct Link To This Post Posted: 09 November 2010 at 9:55am
Thanks for the reply,
 
The APS domain has about 31 users, and they are not very active. So there is no way that there should be 83% of the total emails going to them. My guess would be less than 10% legit email usage.
 
From what you are saying, it seems like there are hundreds of possibly virus infected computers that are sending one or two emails per day. So there is no way to really stop those attacks until the owners fix the problems.
 
Unfortunately, we have to Tag and Deliver the spam to most of our clients because they see 1 to 10 per month in the spam folders that are legit emails coming from NEW clients that they have no way to know beforehand that those emails are coming.
 
I appreciate your help with this matter. If you can think of anything else, please let me know.
 
Many thanks,
 
Bill Turner
ITI Computers
ITI Computers
Web Design and Hosting
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.172 seconds.