Welcome to WebmasterWorld Guest from 54.196.232.162

Forum Moderators: phranque

Message Too Old, No Replies

massive spam attacks taking down server

new IPs every night, how to stop?!

     
9:27 am on Dec 5, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 16, 2002
posts:2010
votes: 0


I've never experienced anything like this and we can't seem to make it stop.

Every night <snip> is spamming our server and loads are going through the roof halting all activity.

We block their IP and then the next night they are back with new IPs.

Any advice on how to stop this in a more automated fashion?

(apache 1.3x server with cpanel)

Thanks for any ideas!

[edited by: trillianjedi at 3:03 pm (utc) on Dec. 5, 2006]
[edit reason] No specifics please.... [/edit]

9:38 am on Dec 5, 2006 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10542
votes: 8


<snip>

[edited by: trillianjedi at 3:05 pm (utc) on Dec. 5, 2006]
[edit reason] Specifics are not required, thanks.... [/edit]

9:44 am on Dec 5, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 16, 2002
posts:2010
votes: 0


<snip>

apparently they have quite a wide network of IPs and bandwidth

[edited by: trillianjedi at 3:05 pm (utc) on Dec. 5, 2006]

10:16 am on Dec 5, 2006 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10542
votes: 8


you can use mod_rewrite to redirect the request to some other url which might be useful for the purpose based on a request header value.

please see this:
[httpd.apache.org...]

2:22 pm on Dec 5, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 16, 2002
posts:2010
votes: 0


mod_rewrite is for web access, this is email

Someone sent me some interesting info about <snip> on <snip>

[edited by: amznVibe at 2:22 pm (utc) on Dec. 5, 2006]

[edited by: trillianjedi at 3:03 pm (utc) on Dec. 5, 2006]
[edit reason] No specifics please ;) [/edit]

2:38 pm on Dec 5, 2006 (gmt 0)

Full Member

10+ Year Member

joined:Sept 24, 2002
posts:214
votes: 0


Do you have a catchall account setup? At one point I had one, and one christmas I had my server fill up with 30,000 emails (which made it go slow) I have since removed the catchall account. I still get spam but only spam to email accounts that exist. I am using exchange 2003.
3:06 pm on Dec 5, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member trillianjedi is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 15, 2003
posts:7242
votes: 0


Let's not name names here, please. Our TOS refers and the specifics are not required.

Thanks,

TJ

5:41 pm on Dec 5, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:Sept 28, 2002
posts:505
votes: 0


You may take a closer look on that mail spam.
Is it spam for company XYZ or in their name (may be a joe-job?) -- or does it really originate from IP addresses belonging to them? Or from arbitrary random IP addresses?
If it is originating from *their* IP addresses, then identify their IP address ranges and block entire ranges, not just single addresses.
If you can find those IP addresses listed on SORBS or SPAMHAUS or other RBLs, then let your mailserver use these RBLs. If they originate from a network of zombified spam bots on enduser dial-up addresses, then use a DUL RBL.
Depending on your specifics, this may help a lot -- or not.

Kind regards,
R.

5:50 pm on Dec 5, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member jtara is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 26, 2005
posts:3041
votes: 0


What is the call to action in the spam? That is your clue to identifying the spammer, which may or may not be who they appear to be on the surface.

If they want you to go to a web site, check the URL carefully. Does it go to the site it claims to be? Use WHOIS to see if it really belongs to the company they are claiming to be. Check for affiliate codes in the URL. Do they want you to call a phone number? There are reverse-number directories.

If there's an affiliate code, contact the company and tell them that one of their affiliates is spamming.

If they've set-up a fake site using similar name, etc. also contact the company they are faking - their legal department has better resources than you do, and an interest in making them stop.

If there is a phone number, it is almost certainly the number to a third-party call center, 900-program operator, etc. They generally don't want the liability of being associated with spam, and can bring pressure on the spammer or even cut-off their phone service.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members