[nsp-sec] HUGH SPAM attack against AS3320 last week => maybe over 280000 bots involved

Peter.Quick at t-systems.com Peter.Quick at t-systems.com
Tue Aug 30 11:13:02 EDT 2011 

Hi list,

We had a VERY HUGH SPAM attack last week.
Every day for 2-3 houres we had a SPAM flood of over 3 million additional 
 SPAM mails (on top of the normal SPAM load) against *@telekom.de and *@t-systems.com.

We had a small impact in the mailinfrastructure and in the DNS (implementation error
  in the anti-spam solution), but all together we have handled this attack.

By analysing the logs now, i'm surprised about the sources of the SPAM.

>From one SPAM flood we have detected over 280000 unique IPS from all over the world.
On my point of view, this is a big botnet :-)

So my question to you is:
Did anyone else have already a SPAM Attack to a company from such a big botnet.
Because on my point of view it does not make sence to SPAM a company which 
 advertisement which such a botnet. (only company employees , no end-customer)

The target was all our mailservers for telekom.de and t-systems.com 
tcmail12.telekom.de	80.149.113.164	   
tcmail13.telekom.de	80.149.113.165	   
tcmail32.telekom.de	194.25.30.6	   
tcmail33.telekom.de	194.25.30.7	   
tcmail52.telekom.de	217.5.214.109	   
tcmail53.telekom.de	217.5.214.110	   
tcmail72.telekom.de	217.243.239.134	   
tcmail73.telekom.de	217.243.239.135	   
tcmail82.telekom.de	62.225.183.130	   
tcmail83.telekom.de	62.225.183.131	 

"Toptalkers" (most Ips per AS) were:
#ofIPs  AS       County        ISP Name
  28886 45899    VN  apnic     VNPT-AS-VN VNPT Corp
  24676 9829     IN  apnic     BSNL-NIB National Internet Backbone
  23349 17974    ID  apnic     TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
  16837 45595    PK  apnic     PKTELECOM-AS-PK Pakistan Telecom Company Limited
  12333 9050     RO  ripencc   RTD ROMTELECOM S.A
  11631 24560    IN  apnic     AIRTELBROADBAND-AS-AP Bharti Airtel Ltd.,Telemedia Services
   9469 18403    VN  apnic     FPT-AS-AP The Corporation for Financing & Promoting Technology
   5657 7552     VN  apnic     VIETEL-AS-AP Vietel Corporation
   5641 7738     BR  lacnic    Telecomunicacoes da Bahia S.A.
   5111 17813    IN  apnic     MTNL-AP Mahanagar Telephone Nigam Ltd.
   4559 25019    SA  ripencc   SAUDINETSTC-AS Autonomus System Number for SaudiNet
   2763 6713     MA  afrinic   IAM-AS
   2757 6849     UA  ripencc   UKRTELNET JSC UKRTELECOM,
   2705 17803    IN  apnic     BSES-AS-AP BSES TeleCom Limited
   2571 8167     BR  lacnic    TELESC - Telecomunicacoes de Santa Catarina SA
   2334 6697     BY  ripencc   BELPAK-AS BELPAK
   2073 9299     PH  apnic     IPG-AS-AP Philippine Long Distance Telephone Company
   1863 18881    BR  lacnic    Global Village Telecom
   1839 8400     RS  ripencc   TELEKOM-AS TELEKOM SRBIJA a.d.
   1753 9198     KZ  ripencc   KAZTELECOM-AS JSC Kazakhtelecom

The whole list of AS is attached.
The list with the Ips is 32 MB .. Sorry for the big attachmend 

Any comments if this is just a "normal attack" or if this is maybe something 
 strange / special are more then welcome !!!

Does anybody else got hit by a additional SPAM flood last week ?? (Wednesday - Friday)


Greetings,
Peter Quick
AS3320 Deustche Telekom
T-Systems CERT
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: AS-numbers_count.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20110830/008cf1fa/attachment-0001.txt>

More information about the nsp-security mailing list