SecuMail-Blog

  1. Home
  2. Uncategorized
  3. DDOS Attack Part II – Functionality and Motivation

DDOS Attack Part II – Functionality and Motivation

19. August 2010
By

Second part of the DDOS story:

How did it work and what do the spammers go to all the trouble for?

This spam attack was even “distributed” several times:
Countless unsolicited e-mails were sent to numerous addresses of our customers in the usual spam manner. Of course, both sender addresses and the IP addresses of the senders changed constantly to prevent easy filtering by SecuMail® at this point. Up to this point, the matter should not differ much from the everyday life of a spam filter. However, the content of the e-mails was extraordinary:
In addition to a few lines of random text, it contained a number of HTML links whose URLs pointed to strange domains. These URLs were always structured according to the following pattern: x743h.russische-domain.ru, where “x743h” was appended to the countless Russian domains as a seemingly random combination of characters. Of course, hardly any combination appeared more than once, which practically excludes manual filtering.

The evil plan behind all this was that the name servers on which the Russian domains were hosted were set up in such a way that requests for sublevel domains were never answered. This in turn means that every request ends in a DNS timeout. However, a good spam filter examines all links it finds in the email body and checks whether they can be resolved in the DNS or whether they are known spam URLs.
The aim of the plan was that the filter servers would have to make an extremely large number of DNS queries during the examination of the e-mails in order to be able to delay them for as long as possible. The extreme frequency of these waiting times should then cause email processing to come to a standstill.
Administrators usually react to such failures in e-mail delivery with the lesser evil, namely by switching off the spam filter function. And that would give the spammer a free and unbraked ride, directly into the mailboxes of the addressees – our customers!

Whether and how this plan led to success, you will find out in the third part.

Regards

Hannes Wilhelm

Tags:
GDPR Cookie Consent with Real Cookie Banner