Here's the link for a new Botnet only mailing list. Just got PR
yesterday and already there's some interesting stuff flowing on it.
You may want to drop this message out there.
botnets@whitestar.linuxbox.org
gregs@sloop.net wrote:
I've been getting a lot of what appear to be spam bounces the last week or so.
I'd usually ignore them, but this isn't typical for me, or anything I've seen
before.
I perhaps 150 bounces a day. In the past, I'll get a huge rash of these all at
one time, and for a day or two. Then it'll cease. Further, they've all come
from the same sending machine in the past.
Here's a quick sampling of the sending headers info.
Received: from m4.net81-67-28.noos.fr (m4.net81-67-28.noos.fr [81.67.28.4])
by afb.business-hosting.ru (Postfix) with SMTP id AE7BF339B09;
Sat, 4 Mar 2006 00:46:07 +0300 (MSK)
Received: from a83-132-103-247.cpe.netcabo.pt (83.132.103.247)
by neptun.nskhost.ru with SMTP; 4 Mar 2006 03:42:35 +0600
Received: from ip93.iflk.com ([216.191.203.93]) by volzhanka.ru with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 4 Mar 2006 02:29:05 +0500
Received: from pc-163-244-104-200.cm.vtr.net ([200.104.244.163]) by mail.imli.ru with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 4 Mar 2006 00:23:34 +0300
Received: from cpe-72-224-115-123.nycap.res.rr.com (cpe-72-224-115-123.nycap.res.rr.com [72.224.115.123])
by relay2new.metrocom.ru (8.12.10/8.12.10) with SMTP id k23LFUqp049011;
Sat, 4 Mar 2006 00:15:31 +0300 (MSK)
Received: from [222.235.234.93] (helo=217.23.144.128)
by mini.caravan.ru with smtp (Exim 4.40)
id 1FFHVs-0004AV-P4; Sat, 04 Mar 2006 00:08:37 +0300
Received: from 6532130hfc51.tampabay.res.rr.com (6532130hfc51.tampabay.res.rr.com [65.32.130.51])
by shape.iks.ru (8.12.10/8.12.10) with SMTP id k238Awc7021590;
Fri, 3 Mar 2006 20:11:04 +1200 (PETT)
Received: from cpe-72-177-178-57.houston.res.rr.com (cpe-72-177-178-57.houston.res.rr.com [72.177.178.57])
by rovter.legion.ru (Postfix) with SMTP id 3895147A4;
Fri, 3 Mar 2006 23:59:59 +0000 (GMT)
Received: from 201009189149.user.veloxzone.com.br (201009189149.user.veloxzone.com.br [201.9.189.149])
by mx2.konalink.ru with ESMTP;
Fri, 3 Mar 2006 23:14:53 +0300
Received: from [81.22.147.198] (helo=194.58.78.34)
by directadmin.xx.ru with smtp (Exim 4.50)
id 1FFGao-000JAo-IH; Fri, 03 Mar 2006 23:09:42 +0300
Is this typical, and should I just put up with it? I assume it has to be a
bot-net since I'm getting these from a whole host of machines, and it would be
unlikely to pick my addy by random on a whole host of spammers at the same time.
What's interesting though, is I'd expect to practically drown under the load -
thousands or tens of thousands of bounces if a botnet was using a single from:
addy. Are they picking a huge pool and round-robin'ing them?
Curious. TIA.
Greg
