Spam Attack |
Post Reply 
|
| Author | |
ITI Computers 
Newbie 
Joined: 12 June 2008 Status: Offline Points: 12 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Spam AttackPosted: 04 November 2010 at 12:30pm |
|
Hello,
We are seeing hundreds of connection attempts per minute to one of our domains APS2000.com, this has been going on for quite a while. I would like to know if there is anything I can do to stop these connections. I have a log file that I have zipped up but it is 33.5 MB. How do you want me to send it to you?
|
|
|
ITI Computers
Web Design and Hosting |
|
 |
|
|
yapadu
Senior Member 
Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 November 2010 at 8:50pm |
|
If the attack is coming from a limited number of addresses you could block them at your firewall.
|
|
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
|
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 November 2010 at 9:11pm |
|
I've sent you a PM with the details on how to send us the file via FTP. As an FYI, SpamFilter has the following setting (which is enabled by default) that greatly helps preventing issues from such attacks:
|
|
|
|
|
ITI Computers
Newbie
Joined: 12 June 2008 Status: Offline Points: 12 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 November 2010 at 10:30am |
|
Thanks for the reply. I have uploaded the file named ITIComputers20101102.zip to the FTP account you sent me. I will look at that configuration option you mentioned and see if that does anything to stop this attack in the meantime.
Thanks,
Bill Turner
ITI Computers
|
|
|
ITI Computers
Web Design and Hosting |
|
|
|
|
ITI Computers
Newbie
Joined: 12 June 2008 Status: Offline Points: 12 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 November 2010 at 10:38am |
|
Just checked the settings and the Enable Cached IP Blocking is already turned on.
Any other ideas?
|
|
|
ITI Computers
Web Design and Hosting |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 November 2010 at 10:16pm |
|
We received your log, and it was rather "unusual". Let me summarize what we see.
During the day your SpamFilter received 232,954 connections. Of these, there was a whopping (high/huge) number of 102,926 individual/unique IPs that attempted connections to SpamFilter. So each IP on average made just over 2 connections. This pretty much eliminates any single IP from sending large quantities of spam toward your network. In addition, a very large number of connection attempts (91,830) was stopped in its tracks by the greylist filter, which prevented those connections from even attempting to send an email. Over 83% of the emails in the logs were indeed sent to the aps2000.com domain, but depending on the domain's history and number of users when compared against the other domains you host, that could be normal. We do see however that you have configured SpamFilter to tag spam instead of blocking it. Tagging spam emails as such and delivering them forces SpamFilter to accept the emails from the senders. If the email is accepted, the sender believes that the email is going to be delivered. So for all the spam emails you receive, to the senders (keep in mind these are mostly automated emails), when the spammers go back and analyze the statistics of their spam campaign, they will all result as in "good" spam emails, meaning they were all delivered. This will likely cause them to give a high reliability to the addresses they are spamming, causing the spam to increase. If you had configured SpamFilter to block such emails instead of tagging them and delivering them, hundreds of thousands of spam emails addressed to that domain would be blocked each week, making it a bit less likely that spam will be delivered to them in the future. Do note however that if you start to stop such emails now, the change I described above would be very, very, very slow, as it will take months/years for the email databases spammers acquire to be updated.
|
|
|
|
|
ITI Computers
Newbie
Joined: 12 June 2008 Status: Offline Points: 12 |
Post Options
Thanks(0)
Quote Reply
Posted: 09 November 2010 at 9:55am |
|
Thanks for the reply,
The APS domain has about 31 users, and they are not very active. So there is no way that there should be 83% of the total emails going to them. My guess would be less than 10% legit email usage.
From what you are saying, it seems like there are hundreds of possibly virus infected computers that are sending one or two emails per day. So there is no way to really stop those attacks until the owners fix the problems.
Unfortunately, we have to Tag and Deliver the spam to most of our clients because they see 1 to 10 per month in the spam folders that are legit emails coming from NEW clients that they have no way to know beforehand that those emails are coming.
I appreciate your help with this matter. If you can think of anything else, please let me know.
Many thanks,
Bill Turner
ITI Computers
|
|
|
ITI Computers
Web Design and Hosting |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.273 seconds.