Date of attack: 14/12/2007
Originating Computer Location: Possibly South Korea, being sent by relays in Italy. Several Computers on different Italian ISPs appear to have been used in the distribution of these emails.
Method used: Uncertain at this time, suspected origin within a "Botnet" (see below).
Topic of messages: Varied - mostly about anatomy enlargement.
Total number of bounce mails received: Over 600 and counting (16.06 GMT+0200).
Date of attack: 25/11/2007
Originating Computer Location: Portugal (87-196-61-200.net.novis.pt)
Method used: Computer would appear to be part of a "botnet" (infected by a virus). Message therefore originated somewhere else, but was sent via this computer as part of the "botnet".
Topic of messages: Varied - mostly about fake watches.
Total number of bounce mails received: 4800 and growing (09.47 GMT+0900).
It has come to our attention that some random email addresses have been coupled with some of our domains are to form the "reply to" or "from" addresses in a variety of SPAM messages.
This seems to happen a couple of times per year, however it is becoming more frequent. There are a variety of ways that our domains could turn up like this - it could be random or it could be by the harvesting of someones address book, whose computer has become infected.
We would like to reassure everyone that Carley Network Media Ltd and its subsidiaries do not engage in the sending of these messages, nor do we condone such activities.
Carley Network Media would like to ask all Mail Server Administrators:
1. Check to see if its the server it says it is.
Please set your mail servers to look up the PTR record and rDNS of the sending domain, and if such a record does not exist, to quietly delete all messages. Bouncebacks generate a lot of unnecessary mail for the affected domain.
While this may mean the loss of some email messages, in the long run, we believe it would save everybody money in the long-run, due to the bandwidth and administrative costs alone.
There must be some ways around problems concerning if the recipient did not receive an email, how is the sender to know, but we believe that bounce notifications are archaeic, and by our own estimates, about 99.99% of bounce notifications that we receive on a yearly basis are as a result of attacks like the one described above.
As such, we now automatically move these to our junk folder. Two reasons for this are that a. It doesn't "clog up" our inbox and b. Since we clear the Junk folder on a fairly regular basis, we can still check to see that our legitimate emails are still getting through - particularly if the counter increases within a couple of minutes of sending an email!
2. Check that the user is really allowed to send mail
Please set up your systems to force authentication upon sending an email and/or set up your systems to only accept SSL connections, or to otherwise be more secure in the allowances of which systems can connect to your SMTP servers.
Although we hope that this is not such a big problem in North America and Europe these days (save for computers infected with viruses), it is a problem in China, Russia, Brazil and a few other countries.
