Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Bot net? SPAM Bounces...

Re: Bot net? SPAM Bounces...

From: Robert D. Holtz <robert.d.holtz_at_gmail.com>
Date: Sat, 04 Mar 2006 08:03:24 -0600

Here's the link for a new Botnet only mailing list. Just got PR
yesterday and already there's some interesting stuff flowing on it.

You may want to drop this message out there.

botnets_at_whitestar.linuxbox.org

gregs_at_sloop.net wrote:

>I've been getting a lot of what appear to be spam bounces the last week or so. I'd usually ignore them, but this isn't typical for me, or anything I've seen before.
>
>I perhaps 150 bounces a day. In the past, I'll get a huge rash of these all at one time, and for a day or two. Then it'll cease. Further, they've all come from the same sending machine in the past.
>
>Here's a quick sampling of the sending headers info.
>
>Received: from m4.net81-67-28.noos.fr (m4.net81-67-28.noos.fr [81.67.28.4])
> by afb.business-hosting.ru (Postfix) with SMTP id AE7BF339B09;
> Sat, 4 Mar 2006 00:46:07 +0300 (MSK)
>
>Received: from a83-132-103-247.cpe.netcabo.pt (83.132.103.247)
> by neptun.nskhost.ru with SMTP; 4 Mar 2006 03:42:35 +0600
>
>Received: from ip93.iflk.com ([216.191.203.93]) by volzhanka.ru with Microsoft SMTPSVC(6.0.3790.1830);
> Sat, 4 Mar 2006 02:29:05 +0500
>
>Received: from pc-163-244-104-200.cm.vtr.net ([200.104.244.163]) by mail.imli.ru with Microsoft SMTPSVC(6.0.3790.1830);
> Sat, 4 Mar 2006 00:23:34 +0300
>
>Received: from cpe-72-224-115-123.nycap.res.rr.com (cpe-72-224-115-123.nycap.res.rr.com [72.224.115.123])
> by relay2new.metrocom.ru (8.12.10/8.12.10) with SMTP id k23LFUqp049011;
> Sat, 4 Mar 2006 00:15:31 +0300 (MSK)
>
>Received: from [222.235.234.93] (helo=217.23.144.128)
> by mini.caravan.ru with smtp (Exim 4.40)
> id 1FFHVs-0004AV-P4; Sat, 04 Mar 2006 00:08:37 +0300
>
>Received: from 6532130hfc51.tampabay.res.rr.com (6532130hfc51.tampabay.res.rr.com [65.32.130.51])
> by shape.iks.ru (8.12.10/8.12.10) with SMTP id k238Awc7021590;
> Fri, 3 Mar 2006 20:11:04 +1200 (PETT)
>
>Received: from cpe-72-177-178-57.houston.res.rr.com (cpe-72-177-178-57.houston.res.rr.com [72.177.178.57])
> by rovter.legion.ru (Postfix) with SMTP id 3895147A4;
> Fri, 3 Mar 2006 23:59:59 +0000 (GMT)
>
>Received: from 201009189149.user.veloxzone.com.br (201009189149.user.veloxzone.com.br [201.9.189.149])
> by mx2.konalink.ru with ESMTP;
> Fri, 3 Mar 2006 23:14:53 +0300
>
>Received: from [81.22.147.198] (helo=194.58.78.34)
> by directadmin.xx.ru with smtp (Exim 4.50)
> id 1FFGao-000JAo-IH; Fri, 03 Mar 2006 23:09:42 +0300
>
>
>Is this typical, and should I just put up with it? I assume it has to be a bot-net since I'm getting these from a whole host of machines, and it would be unlikely to pick my addy by random on a whole host of spammers at the same time.
>
>What's interesting though, is I'd expect to practically drown under the load - thousands or tens of thousands of bounces if a botnet was using a single from: addy. Are they picking a huge pool and round-robin'ing them?
>
>Curious. TIA.
>Greg
>
>
>
Received on Mar 04 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]