A DNS realization
One thing I did today was set up DNS for a hostname that we may need to re-point elsewhere very rapidly. This caused me to realize something important:
Setting low TTLs doesn't mean squat if you can't cause secondaries to reload on command.
Low TTLs mean that people will re-query A records frequently, but that doesn't help me change where the traffic is going if my secondaries haven't updated to my new set of A records. Unfortunately, none of the secondaries for our domains are under my control, and at least one of them doesn't act on DNS notifications.
The way around this problem is to make a subzone without secondary nameservers. Fortunately I could pick a more or less arbitrary hostname. (Even if you can't pick an arbitrary hostname I suppose you can usually make the fixed name a CNAME into a new subzone.)
I'm glad that I realized the impending problem while I was sitting around drumming my fingers as I waited for the secondaries to pick up the just-added hostname. Running into it during a frantic attempt to shuffle traffic destinations would have been un-fun.
Weekly spam summary on March 11th, 2006
Hotmail had an amazingly good week this time around:
- 5 messages accepted.
- 2 messages rejected because they came from non-Hotmail email addresses.
- no messages sent to our spamtraps.
- 6 messages refused because their sender addresses had already hit our spamtraps.
- only 1 message refused due to the origin IP address being in the CBL (and now in the SBL, as SBL34115).
Muting the happiness is the fact that the one CBL-rejected message was from a sympatico.ca address, and several of the emails accepted from Hotmail were from suspicious sympatico.ca usernames like 'delottonederlands' and 'winning_notificationmail2000'. Hotmail is evidently not quite there just yet, although at this rate I'm going to stop leading the reports with them.
The basic volume numbers:
- got 13,413 messages from 221 different IP addresses.
- handled 18,299 sessions from 846 different IP addresses.
- received 205,332 connections from at least 40,047 different IP addresses.
- a highwater of 19 connections being checked at once.
The number of connections is up drastically from last week, but everything else is more or less holding steady. The per day numbers are interesting:
Where last week had a dip on Wednesday, this week has a monstrous peak, tailing off into Thursday as well. The other days were pretty flat, so Wednesday and Thursday are pretty much where all of the extra connection volume came from; if not for them, we would have been down overall from last week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 8268 408K 126.96.36.199 6759 333K 188.8.131.52/24 5135 257K 184.108.40.206/10 3254 167K 220.127.116.11 3024 139K 18.104.22.168 2501 150K 22.214.171.124/11 2366 122K 126.96.36.199/12 2113 108K 188.8.131.52/11 1875 95448 184.108.40.206 1761 106K
- 220.127.116.11 spammed us as 'save-mihaita.org' and was blocked. Evidently it continues to be very aggressive.
- 18.104.22.168, a Japanese IP address, was one of the probably compromised machines trying to send spam claiming to be from 'firstname.lastname@example.org'. It's always nice to see phish spammers labeling their spam so clearly; it makes it much easier to block.
- 22.214.171.124 reappears from last week, now blocked for being without good reverse DNS; it's still on the CBL, though.
- 126.96.36.199 is SBL38774, a phish spam source.
- 188.8.131.52 is an interbusiness.it client machine, and we haven't talked to them for years. (Maybe someday interbusiness.it will clean up its spam problem and get people to believe it.)
Connection time rejection stats:
26321 total 12533 dynamic IP 9039 bad or no reverse DNS 2553 class bl-cbl 516 class bl-dsbl 488 class bl-ordb 322 SKYLIST INC 184.108.40.206/18 185 class bl-spews 151 class bl-sbl 117 class bl-sdul 40 class bl-njabl 39 class bl-opm
We have had 220.127.116.11/18 explicitly blocked for some time now; at the time when we did it, it was due to SBL9613. The SBL listing is now gone (although there is still a SPEWS listing for it), but as you can see our explicit block lit up significantly this week. The connections seem to have mostly come from machines in the recipes4eachday.com and recipe4living-mail.com domains, so I don't think we're missing much.
Despite the connection volume power-up only one IP address was
refused more than 100 times (18.104.22.168, with 173 attempts).
Ten of the top 30 most refused IPs are currently in the CBL, one
is currently in the SBL, and 12 are currently in
The one SBL listed IP is 22.214.171.124, refused an even 50 times
before we blocked it.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The champion of bad
HELOs this week is 126.96.36.199, at 270 before
it went into the kernel-level blocks. Also on my mental hitlist
are 188.8.131.52 (94), 184.108.40.206 (88), 220.127.116.11 (80),
18.104.22.168 (63), and 22.214.171.124 (53).