Home About UsOur mission, Our name, Contacting us Events & Topics Articles Business General Technical Surveys FAQ

Coordinated Spam Attacks

by Ed Sawicki
Accelerated Learning Center
Tailored Computers

October 21, 2003

I just spent a few hours examining the log files of the SMTP servers that run the eScrubber service - a spam suppression service that my company offers. This service handles over 200,000 messages each month where more than half are spam. I found evidence of a highly-coordinated attack methodology for delivering spam mail.

I have an email address that was harvested by spammers many years ago. I haven't used that address for many years but it's still on some spammer lists. Today, I discovered that spam sent to that address was sent in "bursts". Here's a list of sites sending to my seldom-used e-mail address that were rejected by the eScrubber servers during a 3-minute period yesterday:

21:29:10  alb-24-25-153-232.nycap.rr.com[24.25.153.232]
21:29:14  ool-4354a252.dyn.optonline.net[67.84.162.82]
21:29:17  c-67-162-195-202.client.comcast.net[67.162.195.202]
21:29:20  c-24-131-246-43.mw.client2.attbi.com[24.131.246.43]
21:29:23  ool-4354b10c.dyn.optonline.net[67.84.177.12]
21:29:27  188rts38.wuh.wustl.edu[128.252.188.38]
21:29:31  blk2-235-114.eastlink.ca[24.224.235.114]
21:30:25  175.suab.chcg.cgcil01r18.dsl.att.net[12.102.133.175]
21:30:33  pcp105914pcs.echryh01.nj.comcast.net[68.45.97.150]
21:30:39  ACBC0FC4.ipt.aol.com[172.188.15.196]
21:31:50  cpe-066-057-150-020.nc.rr.com[66.57.150.20]
21:31:55  122-4.200-68.tampabay.rr.com[68.200.4.122]
21:32:02  pcp01449001pcs.carlsl01.pa.comcast.net[68.83.53.254]
21:32:07  ip142177048038.mpoweredpc.net[142.177.48.38]
21:32:14  rdu163-50-037.nc.rr.com[24.163.50.37]
21:32:21  CPE-24-94-191-123.kc.rr.com[24.94.191.123]
21:32:47  va-winchester3c-38.wch.adelphia.net[67.20.51.38]
21:32:56  pcp03078427pcs.hyatsv01.md.comcast.net[68.48.162.56]

No e-mail to that address was detected for 12 hours before and 5 hours after. This burst is just one of many that has been occuring for the past few weeks.

Note that the amount of time between most of the attempts in a burst is several seconds. I believe that when one computer fails to deliver the message it reports its failure and the task is given to another computer. If this is true, it indicates a highly-coordinated and sophisticated network of spamming computers. This is a good indication that the spammers are far ahead of current anti-spam technology.

It will be difficult for techniques, such as DNSBLs or RBLs, to scale when the population of hijacked Windows computers (for this one group) is 450,000 and the number can be easily increased. I think dealing with spam using black list techniques may be dead soon. We'll be rejecting a high percentage of white mail if we use black lists. The answer to the problem is elusive because the spammers/hackers are clearly capable of adapting to any defense mechanism we engineer - especially when Windows computers and DNS servers are so easily subverted.

The eScrubber solution relies more on white lists than black lists. This is not a perfect solution but will turn away more spam - for now. We'll have to develop more effective techniques if we're to keep up with the spammers.

Back