Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Bot net? SPAM Bounces...

from [gregs] Network Security [Permanent Link]
Subject: Bot net? SPAM Bounces...
Date: 3 Mar 2006 22:54:50 -0000 
I've been getting a lot of what appear to be spam bounces the last week or so. 
I'd usually ignore them, but this isn't typical for me, or anything I've seen 
before.

I perhaps 150 bounces a day. In the past, I'll get a huge rash of these all at 
one time, and for a day or two. Then it'll cease. Further, they've all come 
from the same sending machine in the past.

Here's a quick sampling of the sending headers info.

Received: from m4.net81-67-28.noos.fr (m4.net81-67-28.noos.fr [81.67.28.4])
        by afb.business-hosting.ru (Postfix) with SMTP id AE7BF339B09;
        Sat,  4 Mar 2006 00:46:07 +0300 (MSK)
        
Received: from a83-132-103-247.cpe.netcabo.pt (83.132.103.247)
  by neptun.nskhost.ru with SMTP; 4 Mar 2006 03:42:35 +0600
  
Received: from ip93.iflk.com ([216.191.203.93]) by volzhanka.ru with Microsoft 
SMTPSVC(6.0.3790.1830);
         Sat, 4 Mar 2006 02:29:05 +0500
         
Received: from pc-163-244-104-200.cm.vtr.net ([200.104.244.163]) by 
mail.imli.ru with Microsoft SMTPSVC(6.0.3790.1830);
         Sat, 4 Mar 2006 00:23:34 +0300
         
Received: from cpe-72-224-115-123.nycap.res.rr.com 
(cpe-72-224-115-123.nycap.res.rr.com [72.224.115.123])
        by relay2new.metrocom.ru (8.12.10/8.12.10) with SMTP id k23LFUqp049011;
        Sat, 4 Mar 2006 00:15:31 +0300 (MSK)
        
Received: from [222.235.234.93] (helo=217.23.144.128)
        by mini.caravan.ru with smtp (Exim 4.40)
        id 1FFHVs-0004AV-P4; Sat, 04 Mar 2006 00:08:37 +0300
        
Received: from 6532130hfc51.tampabay.res.rr.com 
(6532130hfc51.tampabay.res.rr.com [65.32.130.51])
        by shape.iks.ru (8.12.10/8.12.10) with SMTP id k238Awc7021590;
        Fri, 3 Mar 2006 20:11:04 +1200 (PETT)
        
Received: from cpe-72-177-178-57.houston.res.rr.com 
(cpe-72-177-178-57.houston.res.rr.com [72.177.178.57])
        by rovter.legion.ru (Postfix) with SMTP id 3895147A4;
        Fri,  3 Mar 2006 23:59:59 +0000 (GMT)
        
Received: from 201009189149.user.veloxzone.com.br 
(201009189149.user.veloxzone.com.br [201.9.189.149])
        by mx2.konalink.ru with ESMTP;
        Fri, 3 Mar 2006 23:14:53 +0300
        
Received: from [81.22.147.198] (helo=194.58.78.34)
        by directadmin.xx.ru with smtp (Exim 4.50)
        id 1FFGao-000JAo-IH; Fri, 03 Mar 2006 23:09:42 +0300
                                                                    

Is this typical, and should I just put up with it? I assume it has to be a 
bot-net since I'm getting these from a whole host of machines, and it would be 
unlikely to pick my addy by random on a whole host of spammers at the same time.

What's interesting though, is I'd expect to practically drown under the load - 
thousands or tens of thousands of bounces if a botnet was using a single from: 
addy. Are they picking a huge pool and round-robin'ing them?

Curious. TIA.
Greg
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Internet SSH scans, Stephen J. Smoogen
Next by Date:  Re: Internet SSH scans, Jamie Riden
Previous by Thread:  Re: Bizarre traffic, Edy
Next by Thread:  Re: Bot net? SPAM Bounces..., Alex
Indexes:  [Date] [Thread] [Top] [All Lists]