Wandering Thoughts archives


Weekly spam summary on January 20th, 2007

Our SMTP frontend crashed a lot this week, so the connection volume number is a lot more approximated than usual. Having said that, this week we:

  • got 14,060 messages from 292 different IP addresses.
  • handled 21,260 sessions from 1,496 different IP addresses.
  • received over 183,239 connections; I'm not going to try to guess at the minimum number of different IP addresses.
  • probably hit a highwater of 6 connections being checked at once.

It seems likely that volume was around that of last week or maybe a bit lower, but it's very hard to tell.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          21316   1101K         18080   1081K       12078    544K         4945    231K         4683    225K           4208    202K          4149    248K          4058    195K         3513    169K         3360    161K
  • returns from last week and many previous appearances.
  • was on the NJABL when we blocked it, but no longer is.
  • is a Pacbell DSL line in the SORBS DUL list.
  • and kept trying bad HELOs.
  • kept trying to send us stuff that had already tripped our spamtraps.
  • and are both things that we consider dialups.

The overall volume is clearly up from last week, although only one IP address is one that's made the lists before. (And that one is terra.es's mail server, which we haven't wanted to talk to for ages.)

Connection time rejection stats:

  48728 total
  32588 dynamic IP
  12796 bad or no reverse DNS
   2058 class bl-cbl
    206 class bl-sdul
    143 class bl-dsbl
     98 class bl-pbl
     58 class bl-njabl
     50 class bl-sbl

As you can see, we've added the Spamhaus PBL to our list of blocklists. It hasn't hit much because it comes after the CBL and our extensive hand-maintained list of dialups and other dynamic IPs.

Only one out of the top 30 most rejected IPs was rejected 100 times or more this week;, a wanadoo.fr dialup, was rejected 422 times. 13 of the top 30 are currently in the CBL, and 5 are currently in bl.spamcop.net.

Half of our SBL rejections came from (25 rejections, SBL50181), a compromised web server being abused to send advance fee fraud spam for some time. After that is (7 rejections, SBL50211), labeled as an opt-out spammer, and (4 rejections, SBL49046), more advance fee fraud spamming.

This week Hotmail brought us:

  • no messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 30 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one from saix.net, one from Burkina Faso).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1578 101 566 98
Bad bounces 455 345 151 126

I can't say that this looks good compared to last week. There is a clear winner of the bad HELO sweepstakes; tried 494 times. Fortunately, that's the only really active bad HELO source, and everyone else was down in what I consider acceptable territory with only double-digit rejections.

Germany remained a major source of our bad rejections, sprinkled with Italy, Japan, Australia, and other places around the globe. 'noreply' was the most popular single username to try to send bounces to, but the most popular thing in general was random alphabetical usernames like 'shxonbnjy'. Bad bounces were sent to 425 different bad usernames this week.

spam/SpamSummary-2007-01-20 written at 23:28:55; Add Comment

Browsers are the wrong place to report HTML validation errors

A popular idea for dealing with 'malformed' HTML is to have the browsers warn users about it (the most recent example I've run across is in comments here), on the theory that this will cause authors to make their HTML validate. Unfortunately, doing this is about as useful as showing error pukes to website visitors, and for the same reason: it is reporting the problem to the wrong person.

Almost everyone visiting your site is a visitor, not the site's author. It follows that almost every time this hypothetical 'page is malformed' error would go off it would go off to a visitor, who can't do anything about the problem, instead of to the site's author (who can).

The usual retort is that the site's author can visit the page as the final step in publishing and see the warning and do something about it. This is a marvelous theory, but (I argue) incorrect in fact, in part because it assumes that site authors actually bother to check their work, and in part because it assumes that site authors are going to notice a little status notice any more than they notice any of the other little broken things that they let slip by now.

(And if site authors do care about validated HTML they are probably already using one of the validation tools to check their pages, and this feature would not be a particularly big bonus to them.)

This is also a terrible feature from a pragmatic user interface point of view: on today's Internet, it would be the boy who screams wolf all the time, because a rather large number of the pages out there do not pass validation. Such a warning notice would be on a lot; if it is intrusive it gets in your face almost all the time (about something you can't do anything about), and if it's not intrusive it's pretty much a noisy waste of space. This is not a winning user interface element.

(But if you really want it, you can get Firefox extensions that do this.)

web/ValidatingBrowsers written at 00:29:18; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.