Re: Bot net? SPAM Bounces...

["Robert D. Holtz" <robert.d.holtz () gmail com>]

Here's the link for a new Botnet only mailing list.  Just got PR 
yesterday and already there's some interesting stuff flowing on it.

You may want to drop this message out there.

botnets () whitestar linuxbox org

gregs () sloop net wrote:

> I've been getting a lot of what appear to be spam bounces the last week or so. I'd usually ignore them, but this isn't 
> typical for me, or anything I've seen before.
>
> I perhaps 150 bounces a day. In the past, I'll get a huge rash of these all at one time, and for a day or two. Then it'll 
> cease. Further, they've all come from the same sending machine in the past.
>
> Here's a quick sampling of the sending headers info.
>
> Received: from m4.net81-67-28.noos.fr (m4.net81-67-28.noos.fr [81.67.28.4])
>        by afb.business-hosting.ru (Postfix) with SMTP id AE7BF339B09;
>        Sat,  4 Mar 2006 00:46:07 +0300 (MSK)
>        
> Received: from a83-132-103-247.cpe.netcabo.pt (83.132.103.247)
>  by neptun.nskhost.ru with SMTP; 4 Mar 2006 03:42:35 +0600
>  
> Received: from ip93.iflk.com ([216.191.203.93]) by volzhanka.ru with Microsoft SMTPSVC(6.0.3790.1830);
>         Sat, 4 Mar 2006 02:29:05 +0500
>         
> Received: from pc-163-244-104-200.cm.vtr.net ([200.104.244.163]) by mail.imli.ru with Microsoft SMTPSVC(6.0.3790.1830);
>         Sat, 4 Mar 2006 00:23:34 +0300
>         
> Received: from cpe-72-224-115-123.nycap.res.rr.com (cpe-72-224-115-123.nycap.res.rr.com [72.224.115.123])
>        by relay2new.metrocom.ru (8.12.10/8.12.10) with SMTP id k23LFUqp049011;
>        Sat, 4 Mar 2006 00:15:31 +0300 (MSK)
>        
> Received: from [222.235.234.93] (helo=217.23.144.128)
>        by mini.caravan.ru with smtp (Exim 4.40)
>        id 1FFHVs-0004AV-P4; Sat, 04 Mar 2006 00:08:37 +0300
>        
> Received: from 6532130hfc51.tampabay.res.rr.com (6532130hfc51.tampabay.res.rr.com [65.32.130.51])
>        by shape.iks.ru (8.12.10/8.12.10) with SMTP id k238Awc7021590;
>        Fri, 3 Mar 2006 20:11:04 +1200 (PETT)
>        
> Received: from cpe-72-177-178-57.houston.res.rr.com (cpe-72-177-178-57.houston.res.rr.com [72.177.178.57])
>        by rovter.legion.ru (Postfix) with SMTP id 3895147A4;
>        Fri,  3 Mar 2006 23:59:59 +0000 (GMT)
>        
> Received: from 201009189149.user.veloxzone.com.br (201009189149.user.veloxzone.com.br [201.9.189.149])
>        by mx2.konalink.ru with ESMTP;
>        Fri, 3 Mar 2006 23:14:53 +0300
>        
> Received: from [81.22.147.198] (helo=194.58.78.34)
>        by directadmin.xx.ru with smtp (Exim 4.50)
>        id 1FFGao-000JAo-IH; Fri, 03 Mar 2006 23:09:42 +0300
>                                                                    
>
> Is this typical, and should I just put up with it? I assume it has to be a bot-net since I'm getting these from a whole 
> host of machines, and it would be unlikely to pick my addy by random on a whole host of spammers at the same time.
>
> What's interesting though, is I'd expect to practically drown under the load - thousands or tens of thousands of bounces if 
> a botnet was using a single from: addy. Are they picking a huge pool and round-robin'ing them?
>
> Curious. TIA.
> Greg
>
>