Helped ruin a SPAMer’s day – doubt that we took them out of business but we’ve hopefully delayed them for a bit and hurt their profit margin…
It all started with a significant increase in our inbound traffic with no linked increase in our outbound traffic (yes, outbound went up but nowhere near the same level). Some sleuthing with tcpdump during the influx showed that most of the traffic was DNS related and coming from three machines under dca2.superb.net. With the help of our hosting provider (RUCC) we were able to block them so our traffic was able to return to normal.
I fired off a quick email to abuse@superb.net thinking that maybe someone’s machines had been infected by a virus or something. I also started monitoring DNS traffic in general and found that many foreign machines were using our DNS to perform lookups on a variety of domains, not just those that we hosted. I modified our configuration so now our DNS would only answer queries about domains we host and started logging DNS traffic in more detail. Sure enough, over time things resolved themselves so now we’re no longer being used for any old DNS query.
As to the machines on superb.net – it turns out that the machines generating the traffic were owned by a single client of theirs that was using superb.net to send out SPAM. By using our DNS and proxies to send the mails, they hoped to avoid detection. The superb.net crew terminated the SPAMer’s connection immediately with no refund of connection fee – which must have hurt the SPAMer as they’d just paid for a year’s connection in advance.