Very Large BOT activates

As of about 36 hours ago, another large bot activated in order to send spam and perform dictionary attacks. And as usual, this could have been mitigated if more ISP’s blocked port 25 outbound. This BOT was substantial enough to almost double a mail servers bandwidth, even when rejecting the message in the SMTP layer.

This BOT is only slightly interesting from a technical nature, as the BOT uses ‘CamelCase’ SMTP commands, and uses the same MAIL FROM as the RCPT TO.

For Example:

Issues EHLO (not HELO)
Mail From: <>
Rcpt To: <>

There are a lot of invalid email addresses tested as well, so this bot can also be considered a form of dictionary attack to identify legitimate email addresses as well.

(This is one more reason to NEVER whitelist your own email address or domain)

Also, the bot is active on windows machines themselves, rather than a CPE compromise. It also doesn’t follow standard practices, or handle rejections for invalid users, terminating the connection rather than sending a quit in response to invalid users.

The BOT itself is trivial to detect as spam, and shouldn’t affect anyone’s inboxes, but it does consume resources and bandwidth.

BTW, just to give you an idea of one ISP who should lock down their dynamic IP SPace, here is some of their infected space:

This entry was posted in Informative and tagged , , , . Bookmark the permalink.

Leave a Reply