Threat Analysis 9/21-9/23

Despite being in the first half of the week, spam volumes yesterday declined to levels usually seen on Fridays. Oddly enough, no viruses hit the mail server at all, something that hasn't happened all month.

The mail breakdown levels stayed on the high side, with blocked connections making up 88.7 percent and 10.7 percent of spam. This is consistent with yesterday's mail patterns, but it's higher than the activities usually reported on Tuesdays.

The IP address originating in China continues to be a repeat offender, sending messages that the filters automatically blocked. It appears on four RBLs, including SPAMCOP, XBL, CBL, and SORBS. Of all the messages blocked by the top-10 addresses over the three-day period, this single server was responsible for 8.7 percent of the volume.

Honeypot:

Intrusion detection logs from the trap network recorded several spam relay attempts. All of the visitor domains traced backed to Beijing, China and were reported as not being behind proxy servers. A scan of SSH port 22 from mercycollege.edu was logged, as well as several scans of Telnet port 23, traced back to a domain out of Italy.

Log files also show numerous attempts to hack into the IIS sever via Internet Printing Protocol. These attacks were made by an IP that resolves to nyc.biz.rr.com SQL server attacks are still up. SQL server login attempts from and IP address in China was detected, as well as DOS attacks against SQL.