North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: anybody else been spammed by "no-ip.com" yet?

  • From: jlewis
  • Date: Sat May 04 12:52:16 2002

On Fri, 3 May 2002 william@elan.net wrote:

> Do you have data on approximate amount of this extra mail bandwidth due to
> spam per user? Actually lets be more exact, can some of you with 10,000
> real user mail accounts reply how much traffic your mail server is using
> and if you have spam filter, how much (in percentage) of mail were filters.
> And how big were the filterd spam in comparison to all other regular mails?
> And if possible how much in amount of disk space was it in comparison to
> all other emails?

Since sendmail applies our dnsbl rules before accepting the message, I
can't say how much bandwidth the blocked spam would have used.  On a MX
that handles mail for several tens of thousands of actual user accounts,
it's not unusual for us to deliver ~400k messages and reject anywhere from
200k-500k messages.  A few weeks ago we had a several day period during
which we rejected > 1,000,000 messages/day.

The rejected numbers can be somewhat inflated though by the 'alphabet
spammers'.  I'm not sure what else to call them...but these are the people
who try to send mail to every conceivable address @yourdomain.  If you run
a large mail server, you've probably seen them hit you.  When they dump
their random address spam on an open relay, that relay gets blacklisted
pretty quickly, resulting in large numbers of dnsbl rejected messages that
would have eventually bounced as 'no such user' bounces, and likely double
bounced.

Worse, IMO, than the bandwidth issue (mail from/rcpt to/571 doesn't use
that much bandwidth), is the mail server load issue.  A couple of open
relays pounding on our mail servers trying to deliver a truckload of spam
someone dumped on them will drive up the load in no time.  I'm seriously
considering adapting some existing code to watch syslog data and use
kernel packet filtering to cut off connectivity for say 24h from IP's
after N dnsbl caused rejections in Y minutes.  This should reduce load
considerably.  While typing this I was just watching the log on one mail
server and noticed several rejections/sec from mail.ignacio.k12.co.us.
That system is an open relay (listed in several blacklists) and has been
trying to deliver mail to atlantic.net since last wednesday.  We've
rejected from them the following numbers of messages:

Wed: 82102
Thur: 286861
Fri: 215779
Sat (so far): 62128

-- 
----------------------------------------------------------------------
 Jon Lewis *jlewis@lewis.org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________