Welcome to WebmasterWorld Guest from 54.166.54.215

Forum Moderators: phranque

massive spam attacks taking down server

new IPs every night, how to stop?!

   
9:27 am on Dec 5, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I've never experienced anything like this and we can't seem to make it stop.

Every night <snip> is spamming our server and loads are going through the roof halting all activity.

We block their IP and then the next night they are back with new IPs.

Any advice on how to stop this in a more automated fashion?

(apache 1.3x server with cpanel)

Thanks for any ideas!

[edited by: trillianjedi at 3:03 pm (utc) on Dec. 5, 2006]
[edit reason] No specifics please.... [/edit]

9:38 am on Dec 5, 2006 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



<snip>

[edited by: trillianjedi at 3:05 pm (utc) on Dec. 5, 2006]
[edit reason] Specifics are not required, thanks.... [/edit]

9:44 am on Dec 5, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



<snip>

apparently they have quite a wide network of IPs and bandwidth

[edited by: trillianjedi at 3:05 pm (utc) on Dec. 5, 2006]

10:16 am on Dec 5, 2006 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



you can use mod_rewrite to redirect the request to some other url which might be useful for the purpose based on a request header value.

please see this:
[httpd.apache.org...]

2:22 pm on Dec 5, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



mod_rewrite is for web access, this is email

Someone sent me some interesting info about <snip> on <snip>

[edited by: amznVibe at 2:22 pm (utc) on Dec. 5, 2006]

[edited by: trillianjedi at 3:03 pm (utc) on Dec. 5, 2006]
[edit reason] No specifics please ;) [/edit]

2:38 pm on Dec 5, 2006 (gmt 0)

10+ Year Member



Do you have a catchall account setup? At one point I had one, and one christmas I had my server fill up with 30,000 emails (which made it go slow) I have since removed the catchall account. I still get spam but only spam to email accounts that exist. I am using exchange 2003.
3:06 pm on Dec 5, 2006 (gmt 0)

WebmasterWorld Senior Member trillianjedi is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Let's not name names here, please. Our TOS refers and the specifics are not required.

Thanks,

TJ

5:41 pm on Dec 5, 2006 (gmt 0)

10+ Year Member



You may take a closer look on that mail spam.
Is it spam for company XYZ or in their name (may be a joe-job?) -- or does it really originate from IP addresses belonging to them? Or from arbitrary random IP addresses?
If it is originating from *their* IP addresses, then identify their IP address ranges and block entire ranges, not just single addresses.
If you can find those IP addresses listed on SORBS or SPAMHAUS or other RBLs, then let your mailserver use these RBLs. If they originate from a network of zombified spam bots on enduser dial-up addresses, then use a DUL RBL.
Depending on your specifics, this may help a lot -- or not.

Kind regards,
R.

5:50 pm on Dec 5, 2006 (gmt 0)

WebmasterWorld Senior Member jtara is a WebmasterWorld Top Contributor of All Time 5+ Year Member



What is the call to action in the spam? That is your clue to identifying the spammer, which may or may not be who they appear to be on the surface.

If they want you to go to a web site, check the URL carefully. Does it go to the site it claims to be? Use WHOIS to see if it really belongs to the company they are claiming to be. Check for affiliate codes in the URL. Do they want you to call a phone number? There are reverse-number directories.

If there's an affiliate code, contact the company and tell them that one of their affiliates is spamming.

If they've set-up a fake site using similar name, etc. also contact the company they are faking - their legal department has better resources than you do, and an interest in making them stop.

If there is a phone number, it is almost certainly the number to a third-party call center, 900-program operator, etc. They generally don't want the liability of being associated with spam, and can bring pressure on the spammer or even cut-off their phone service.

 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month