North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: anybody else been spammed by "no-ip.com" yet?

  • From: william
  • Date: Sat May 04 13:06:26 2002

At the moment I'm actually interested in statistics on size of spam 
messages as compared to average size of mail message to try to caclulate 
amount of mail bandwdith they really waste...

My own calculations show around 27% spam email and I'v seen statistics 
from 20-30% from others (someone else also wrote me 1/3 of the email, 
this is a little inflated but shows generaly what is). But I'm interested 
in actual numbers on per size of email statistics if possible.

On Sat, 4 May 2002 jlewis@lewis.org wrote:

> On Fri, 3 May 2002 william@elan.net wrote:
> 
> > Do you have data on approximate amount of this extra mail bandwidth due to
> > spam per user? Actually lets be more exact, can some of you with 10,000
> > real user mail accounts reply how much traffic your mail server is using
> > and if you have spam filter, how much (in percentage) of mail were filters.
> > And how big were the filterd spam in comparison to all other regular mails?
> > And if possible how much in amount of disk space was it in comparison to
> > all other emails?
> 
> Since sendmail applies our dnsbl rules before accepting the message, I
> can't say how much bandwidth the blocked spam would have used.  On a MX
> that handles mail for several tens of thousands of actual user accounts,
> it's not unusual for us to deliver ~400k messages and reject anywhere from
> 200k-500k messages.  A few weeks ago we had a several day period during
> which we rejected > 1,000,000 messages/day.
> 
> The rejected numbers can be somewhat inflated though by the 'alphabet
> spammers'.  I'm not sure what else to call them...but these are the people
> who try to send mail to every conceivable address @yourdomain.  If you run
> a large mail server, you've probably seen them hit you.  When they dump
> their random address spam on an open relay, that relay gets blacklisted
> pretty quickly, resulting in large numbers of dnsbl rejected messages that
> would have eventually bounced as 'no such user' bounces, and likely double
> bounced.
> 
> Worse, IMO, than the bandwidth issue (mail from/rcpt to/571 doesn't use
> that much bandwidth), is the mail server load issue.  A couple of open
> relays pounding on our mail servers trying to deliver a truckload of spam
> someone dumped on them will drive up the load in no time.  I'm seriously
> considering adapting some existing code to watch syslog data and use
> kernel packet filtering to cut off connectivity for say 24h from IP's
> after N dnsbl caused rejections in Y minutes.  This should reduce load
> considerably.  While typing this I was just watching the log on one mail
> server and noticed several rejections/sec from mail.ignacio.k12.co.us.
> That system is an open relay (listed in several blacklists) and has been
> trying to deliver mail to atlantic.net since last wednesday.  We've
> rejected from them the following numbers of messages:
> 
> Wed: 82102
> Thur: 286861
> Fri: 215779
> Sat (so far): 62128
> 
>