How many places actually send us email?

July 17, 2005

A few weeks ago I discovered that only 220 different IP addresses sent us actual email over the course of a week. This naturally raises the question: was this just a slow week, or is this typical? The answer turns out to be 'maybe'.

On the system I usually run my stats on, I only have logs going back about 28 days; looking at the entire time period, there was email from 443 different IP addresses. Not surprisingly, the distribution of how much email comes from where is very uneven, with almost all of the email we get is from a few mailing list hosts and the campus-wide email system.

On another system I have logs going back almost a year. Over that time, we got email from only 1,427 different IP addresses (only 95,000 email messages, though). On this system, the big source of email turns out to be Yahoo's webmail, and again things have a very sharp dropoff.

While this has practical uses for our specific situation, the more I think about it the less I think it really generalizes very well. Most of the people here use the central campus-wide email system and at most have their email forwarded from there to our systems; only a relatively few are still using our systems as their primary email system.

The usual quick rejection stats for 2005-07-16

IP level rejections:

Host/Mask           Packets   Bytes
81.201.5.5             8932    429K
212.216.176.0/24       8005    418K
61.128.0.0/10          3540    177K
216.7.201.43           3430    165K
220.160.0.0/11         3107    155K
219.128.0.0/12         2773    136K
212.80.76.44           2608    139K
24.156.64.52           2422    116K
65.214.61.100          2340    112K
65.109.239.171         2303    138K
66.176.226.248         2291    110K
83.103.30.214          2253    115K
218.0.0.0/11           2228    109K
68.122.156.130         2177    111K
222.32.0.0/11          2048   99228
12.31.56.73            1790   85920
221.216.0.0/13         1758   85524
83.103.57.17           1696   86256
216.138.221.42         1525   73200

There's a number of the usual suspects reappearing again, unfortunately. Including the mysterious 24.156.64.52 that keeps hammering on us (a Google search suggests that it may be virus-infested).

Connection-time rejections:

 33011 total
  2249 class bl-cbl
  1355 class bl-dsbl
  1034 class bl-ordb
   292 class bl-spews
   260 class bl-njabl
   176 class bl-sbl
   147 class bl-sdul
    28 class bl-opm

The DNS blocklists seem to have significantly shuffled themselves around; SPEWS is way down, list.dsbl.org and relays.ordb.org are way up. Looking at rejection sources for each, there seems to be no sign of anything in particular being wrong or badly listed, although there's a number of really persistent would-be sending machines.

Also, it may be that spammers are finally stopping forging our domain names on their spam, as the number of bounces to bogus users and bad HELOs that we got this week are well down from their levels last week. (And last week was a normal week for this sort of stuff.)

Last week This week
bounce sessions 613 105
bad HELOs 2585 565

That would be nice if it's true and holds up; I am really, really tired of spam backscatter.

Written on 17 July 2005.
« First Irritations with Fedora Core 4
Skills I use when troubleshooting »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jul 17 00:15:56 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.