2005-07-31
Spam storm aftermath, July 30th 2005
The spam storm seems to have died down now and it's a Saturday night, so time for a wrapup and a look at the overall stats this week.
This week's total is 295,000 SMTP connections from at least 38,000 different IP addresses. In hindsight, the spam storm was probably already dying on the 26th, since we got only about another 60,000 SMTP connections since then (which is more or less average). While our logs show some more hits characteristic of the spammer after that point, the volume steadily decreased over the rest of the week.
Kernel level filtering:
Host/Mask Packets Bytes 212.216.176.0/24 7193 391K 221.216.0.0/13 4058 195K 65.214.61.100 3768 181K 85.92.129.231 3565 214K 62.221.254.34 3143 189K 219.128.0.0/12 3119 156K 61.128.0.0/10 2933 148K 220.160.0.0/11 2709 136K 66.49.190.112 2392 143K 170.206.225.64 2309 111K
Interesting, this week sees far fewer individual IP addresses in the top 10 and more (large) netblocks. The counts are also up, so I suspect that a lot of zombies in those netblocks were trying to hammer on us.
Stats on SMTP connection time rejections:
25376 total
13070 dynamic IP
8509 bad or no reverse DNS
1853 class bl-cbl
525 class bl-sbl
345 class bl-spews
252 class bl-sdul
232 class bl-dsbl
228 class bl-njabl
63 class bl-ordb
24 class bl-opm
The SBL hits are way up, but I believe mostly because a few SBL listed spam sources decided to hammer on us this week (with the big winner being SBL24651 at almost a hundred attempts between two IP addresses). Unsurprisingly the SORBS DUL is up, since a lot of zombies are going to be dynamic IP addresses and hopefully listed there.
We saw successful SMTP connections from only 1227 different IP addresses, and actual mail delivery from only 189 different IP addresses, again the usual pathetic ratios. (Spam, spam, oh glorious spam. Please die now.)
Our volume of bad HELOs and people sending us bounces to nonexistent local users is down. (I'm not going to try to generate systematic numbers.)