Wandering Thoughts archives

A DNS realization

One thing I did today was set up DNS for a hostname that we may need to re-point elsewhere very rapidly. This caused me to realize something important:

Setting low TTLs doesn't mean squat if you can't cause secondaries to reload on command.

Low TTLs mean that people will re-query A records frequently, but that doesn't help me change where the traffic is going if my secondaries haven't updated to my new set of A records. Unfortunately, none of the secondaries for our domains are under my control, and at least one of them doesn't act on DNS notifications.

The way around this problem is to make a subzone without secondary nameservers. Fortunately I could pick a more or less arbitrary hostname. (Even if you can't pick an arbitrary hostname I suppose you can usually make the fixed name a CNAME into a new subzone.)

I'm glad that I realized the impending problem while I was sitting around drumming my fingers as I waited for the secondaries to pick up the just-added hostname. Running into it during a frantic attempt to shuffle traffic destinations would have been un-fun.

Weekly spam summary on March 11th, 2006

Hotmail had an amazingly good week this time around:

• 5 messages accepted.
• 2 messages rejected because they came from non-Hotmail email addresses.
• no messages sent to our spamtraps.
• 6 messages refused because their sender addresses had already hit our spamtraps.
• only 1 message refused due to the origin IP address being in the CBL (and now in the SBL, as SBL34115).

Muting the happiness is the fact that the one CBL-rejected message was from a sympatico.ca address, and several of the emails accepted from Hotmail were from suspicious sympatico.ca usernames like 'delottonederlands' and 'winning_notificationmail2000'. Hotmail is evidently not quite there just yet, although at this rate I'm going to stop leading the reports with them.

The basic volume numbers:

• got 13,413 messages from 221 different IP addresses.
• handled 18,299 sessions from 846 different IP addresses.
• received 205,332 connections from at least 40,047 different IP addresses.
• a highwater of 19 connections being checked at once.

The number of connections is up drastically from last week, but everything else is more or less holding steady. The per day numbers are interesting:

Where last week had a dip on Wednesday, this week has a monstrous peak, tailing off into Thursday as well. The other days were pretty flat, so Wednesday and Thursday are pretty much where all of the extra connection volume came from; if not for them, we would have been down overall from last week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
66.235.205.240         8268    408K
222.146.2.198          6759    333K
212.216.176.0/24       5135    257K
61.128.0.0/10          3254    167K
88.225.43.100          3024    139K
81.169.150.103         2501    150K
220.160.0.0/11         2366    122K
219.128.0.0/12         2113    108K
218.0.0.0/11           1875   95448
82.107.127.75          1761    106K

• 66.235.205.240 spammed us as 'save-mihaita.org' and was blocked. Evidently it continues to be very aggressive.
• 222.146.2.198, a Japanese IP address, was one of the probably compromised machines trying to send spam claiming to be from 'support@apaypal.com'. It's always nice to see phish spammers labeling their spam so clearly; it makes it much easier to block.
• 88.225.43.100 reappears from last week, now blocked for being without good reverse DNS; it's still on the CBL, though.
• 81.169.150.103 is SBL38774, a phish spam source.
• 82.107.127.75 is an interbusiness.it client machine, and we haven't talked to them for years. (Maybe someday interbusiness.it will clean up its spam problem and get people to believe it.)

Connection time rejection stats:

  26321 total
  12533 dynamic IP
   9039 bad or no reverse DNS
   2553 class bl-cbl
    516 class bl-dsbl
    488 class bl-ordb
    322 SKYLIST INC 69.56.0.0/18
    185 class bl-spews
    151 class bl-sbl
    117 class bl-sdul
     40 class bl-njabl
     39 class bl-opm

We have had 69.56.0.0/18 explicitly blocked for some time now; at the time when we did it, it was due to SBL9613. The SBL listing is now gone (although there is still a SPEWS listing for it), but as you can see our explicit block lit up significantly this week. The connections seem to have mostly come from machines in the recipes4eachday.com and recipe4living-mail.com domains, so I don't think we're missing much.

Despite the connection volume power-up only one IP address was refused more than 100 times (81.86.27.181, with 173 attempts). Ten of the top 30 most refused IPs are currently in the CBL, one is currently in the SBL, and 12 are currently in bl.spamcop.net. The one SBL listed IP is 81.169.150.103, refused an even 50 times before we blocked it.

And the final numbers:

The champion of bad HELOs this week is 63.105.86.51, at 270 before it went into the kernel-level blocks. Also on my mental hitlist are 209.113.245.138 (94), 199.106.238.47 (88), 69.105.51.114 (80), 72.11.65.10 (63), and 207.101.116.51 (53).