New spam botnet?

I run my own domain name(s) and E-mail servers. It’s not that hard to do, and you should really consider it, instead of handing over your domains and E-mails to some ‘free’ service provider like Google (remember: if something is free, you are the product).

This, of course, means that I can change and tune everything to my liking. For instance, I use ClamAV, SpamAssassin, Spamhaus, SPF, DKIM, DMARC and Sieve to severely cut down on the amount of spam/malware that makes it into my family’s/friends’/own mailboxes. In fact, maybe one or two mails actually make it through the filters on a monthly basis – it’s nice to look at the statistics 😉 I like to auto-blacklist the hosts (hosts.deny) that try to send spam as well.

Interestingly, in the past two weeks I’ve gone from +/- 30K of those blacklisted hosts to over 70K. Considering that those 30K hosts took many months to collect, more than doubling the amount in the span of just two weeks is quite unusual. I dug into the mail logs and discovered the following so far:

  • It’s all individual hosts, doing one attempt only
  • The hosts are located all over the world, although they primarily come from China, Russia, former Soviet block and Brazil
  • Almost 100% of these hosts are already blacklisted on the zen.spamhaus.org list
  • The forged ‘From:’ header follows the same pattern, <randomfirstname>.<randomnumber>@<somedomainname>. Examples are: Summers.6182@pmcvideoproductions.com, Crane.148@florentina.ro
  • Connections appear in batches, but are evenly spaced in time: roughly 5-6 seconds per connection attempt
  • The E-mails contain the usual malware/phishing attempts (Locky, other ransomware).

Seems like a new spam botnet came online.

This entry was posted in DHCP. Bookmark the permalink.