Merry Christmas from the world of spammers:
Per-Hour Traffic Summary
time received delivered deferred bounced rejected
--------------------------------------------------------------------
0000-0100 9150 1570 60 21 13680
0100-0200 8781 1062 47 22 13093
0200-0300 7950 867 48 29 11299
0300-0400 7100 1002 65 30 9180
0400-0500 16325 927 53 17 48834 !!!!!
0500-0600 17124 1071 51 17 48325 !!!!!
0600-0700 13960 957 44 34 28078
0700-0800 9014 1034 24 62 20364
0800-0900 1225 215 10 3 1963
This weekend has seen an incredible increase in spam. The above blitz was
dominantly from forged senders of "[EMAIL PROTECTED]" and had 100+ SMTPD
processes handling the incoming connections:
Per-Hour SMTPD Connection Summary
hour connections time conn. avg./conn. max. time
--------------------------------------------------------------------
0000-0100 14309 20:40:05 5s 500s
0100-0200 8148 20:47:32 9s 730s
0200-0300 7337 18:02:34 9s 276s
0300-0400 6728 16:57:19 9s 499s
0400-0500 15259 !!!! 43:39:34 10s 267s
0500-0600 15478 !!!! 45:45:42 11s 251s
0600-0700 12592 !!!! 31:46:18 9s 251s
0700-0800 8099 25:16:31 11s 281s
I've begun to conclude that the rate of SMTPD connections to IMGate is an
reliable red flag that the connecting ip is abusing and can be nulrouted or
firewalled without hesitation, esp with the guard condition of no PTR:
Host/Domain Summary: SMTPD Connections (top 20)
connections time conn. avg./conn. max. time host/domain
----------- ---------- ---------- --------- -----------
6312 0:16:03 0s 29s 61.136.151.158
2404 1:21:37 2s 17s c-direct.ne.jp
1900 0:44:21 1s 12s 67.39.250.194
1840 1:23:01 3s 23s sysrun.co.jp
1404 0:50:39 2s 7s plala.or.jp
1028 0:34:07 2s 7s odex.co.jp
1018 3:12:45 11s 59s zoanmail.com
1016 0:37:11 2s 8s 211.121.191.218
1003 1:43:33 6s 33s ns.secureprint.jp
937 0:37:08 2s 8s 211.235.191.220
924 1:49:08 7s 15s 211.199.180.217
896 0:39:24 3s 12s wakwak.ne.jp
763 0:34:55 3s 8s 211.92.240.19
744 5:16:57 26s 66s 200.16.81.209
727 0:27:20 2s 12s 219.120.74.163
702 5:18:33 27s 49s rr.com
702 0:28:05 2s 12s 211.97.235.106
687 10:12:02 53s 108s 194.162.80.26
608 2:53:55 17s 96s hinet.net
596 1:57:25 12s 251s 203.238.211.219
Here's command to look at the SMTP connections for today 08: hours:
awk '/^Dec 22 08.* connect from/ {print $8}' /var/log/maillog | sort -f |
uniq -ic | sort -rf | less
note: the space before " connect from" is important to exclude the
companion but useless "disconnnect from" for the same SMTPD session.
which gives an output :
101 unknown[211.21.171.1]
86 unknown[63.251.200.47]
60 unknown[63.251.200.55]
58 unknown[194.162.80.26]
58 mail.ee.net[206.222.1.5]
52 unknown[217.169.231.82]
48 casinotechnologies.com[64.69.65.146]
46 unknown[218.234.19.108]
42 smtp-server3.tampabay.rr.com[65.32.1.41]
41 unknown[67.72.16.252]
40 unknown[63.251.200.54]
38 unknown[204.77.129.41]
34 unknown[66.181.171.114]
32 unknown[211.220.42.42]
31 smtp-server4.tampabay.rr.com[65.32.1.43]
28 unknown[168.215.180.72]
26 xoa33.etracks.com[66.236.48.33]
26 xoa31.etracks.com[66.236.48.31]
26 unknown[202.103.182.62]
After nulrouting the highest volume "connect frommers", the SMTPD sessions
dropped from 100+ to 20+, freeing up 80 Mb of RAM.
btw, before the nulrouting, the primary reject was from SAV, since hotmail
would not verify any of the forged "ny.*@hotmail.com" as known users.
Len
