January 28, 2007Attack of the Dictionary Attacks
For the past few days, my dannyg.com domain has been hammered by attempts to send spam to addresses that don't exist in the system. It's a case of the so-called dictionary attack, whereby spammers try to find valid user names at a domain by trying everything, including the kitchen sink. Having studied the logs of a lot of these attacks over the years, it seems that one tactic they use is to take valid user names at other domains and try them on other domains. One can wire up all kinds of logic to account for that behavior, so I won't speculate more.
One thing I noticed in the recent batches—which would have resulted in 10,000 to 13,000 additional spam messages per day invading my server if I had let them—is that some of the tactics have changed. In the past, it was easy to spot the attacks in the logs because there would be long batches of user name tries with a single email connection between servers. I recall one instance a couple of years ago in which over 9,000 names were tried in less than a minute from the same IP address in British Columbia.
As the attackers have discovered, this kind of Internet traffic is easy to recognize on the receiving server end. That drove the attackers to do their thing with fewer names per batch. Even today, I see groups of ten names per connection liberally sprinkled throughout the logs.
Today, however, I realized that there were thousands of attempts made one-at-a-time, each one from a different IP address. Not only that, most of the IP addresses made just one attempt throughout a 24-hour period.
This is all thanks to the (certainly by now) millions of PCs around the world connected to the Internet full-time through broadband connections (cable, DSL, corporate networks)—PCs that are infected with malware under the control of spam gangs...the botnets you may have read about. It may not be as efficient per millisecond to hunt for new addresses one user name per bot connection, but it's the kind of behavior that is impossible to fingerprint as being abusive in the eyes of the receiving email server, and thus less likely to be shut off at the receiving end.
I've long held a desire to pull off something that would be nearly impossible:
The Great International Bot Out!
This would be a 24-hour period during which all users of a permanently-connected Windows PC in the world either shut down their computers or disconnect their modems while the users are physically asleep. The world's Internet backbone traffic measurers and spam-blocking services would monitor Internet usage geographically during that period and compare it to the previous 24-hour period. The purpose is to get a sense of how much of the world's Internet traffic is attributable to botnet activity (plus or minus normal behind-the-scenes activity, like Windows Update). I envision a solar-eclipse-like shadow of activity starting in New Zealand and creeping its way westward around the globe throughout the day.
That would be so cool. And it would perhaps give my poor email server a little rest.Posted on January 28, 2007 at 05:34 PM