An insidious spam botnet attacks Charly



While going about his normal duties, Linux Magazine author Charly Kühnast was hit with a mean attack. Charly’s separate anti-spam server, which sits in front of his mail server, saved him from the mail storm.

A sunny Tuesday in July. I’m just typing my Sysadmin column for Linux Magazine. It’s 2.00 pm by the time I take a glance at the monitor that gives me the latest load and traffic data for the critical servers I manage. Lo and behold, the reject line in the spam filter graph has just skyrocketed (See Figure 1). The article will have to wait. The server is rejecting large quantities of mail at an early stage of the SMTP dialog. I suspect a wave of spam with clumsily spoofed envelopes. That’s nothing new: for each legitimate email I receive, I get at least two spam mails. But I still decide to open an SSH connection to the spam filter, which is running on a separate machine, and I can’t believe my eyes when I discover 140 parallel SMTP connections. That’s ten times the normal level. And it’s unusual for the server just to drop the connections like that.