How many places actually send us email?

July 17, 2005

A few weeks ago I discovered that only 220 different IP addresses sent us actual email over the course of a week. This naturally raises the question: was this just a slow week, or is this typical? The answer turns out to be 'maybe'.

On the system I usually run my stats on, I only have logs going back about 28 days; looking at the entire time period, there was email from 443 different IP addresses. Not surprisingly, the distribution of how much email comes from where is very uneven, with almost all of the email we get is from a few mailing list hosts and the campus-wide email system.

On another system I have logs going back almost a year. Over that time, we got email from only 1,427 different IP addresses (only 95,000 email messages, though). On this system, the big source of email turns out to be Yahoo's webmail, and again things have a very sharp dropoff.

While this has practical uses for our specific situation, the more I think about it the less I think it really generalizes very well. Most of the people here use the central campus-wide email system and at most have their email forwarded from there to our systems; only a relatively few are still using our systems as their primary email system.

The usual quick rejection stats for 2005-07-16

IP level rejections:

Host/Mask           Packets   Bytes             8932    429K       8005    418K          3540    177K           3430    165K         3107    155K         2773    136K           2608    139K           2422    116K          2340    112K         2303    138K         2291    110K          2253    115K           2228    109K         2177    111K          2048   99228            1790   85920         1758   85524           1696   86256         1525   73200

There's a number of the usual suspects reappearing again, unfortunately. Including the mysterious that keeps hammering on us (a Google search suggests that it may be virus-infested).

Connection-time rejections:

 33011 total
  2249 class bl-cbl
  1355 class bl-dsbl
  1034 class bl-ordb
   292 class bl-spews
   260 class bl-njabl
   176 class bl-sbl
   147 class bl-sdul
    28 class bl-opm

The DNS blocklists seem to have significantly shuffled themselves around; SPEWS is way down, and are way up. Looking at rejection sources for each, there seems to be no sign of anything in particular being wrong or badly listed, although there's a number of really persistent would-be sending machines.

Also, it may be that spammers are finally stopping forging our domain names on their spam, as the number of bounces to bogus users and bad HELOs that we got this week are well down from their levels last week. (And last week was a normal week for this sort of stuff.)

Last week This week
bounce sessions 613 105
bad HELOs 2585 565

That would be nice if it's true and holds up; I am really, really tired of spam backscatter.

Written on 17 July 2005.
« First Irritations with Fedora Core 4
Skills I use when troubleshooting »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jul 17 00:15:56 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.