Re: [Declude.JunkMail] Interesting SMTP connection patterns
Dave, That is really not that uncommon. I see this with very aggressive spammers who are trying to get the most spam through in the least amount of time and have no disregard for crashing the server they are sending spam to... Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dave Beckstrom writes: Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.1382 USA 87.219.166.92 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.234 1 Croatia 84.61.135.611 Germany 83.84.74.219 1 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.961 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.177 1 Kazakstan 82.158.0.2371 Spain 69.30.246.125 1 USA 200.168.86.224 1 Brazil 83.167.108.44 1 Russian Federation 75.41.79.2031 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting SMTP connection patterns
That's why I now use Blackice Server from IIS. It can detect multiple smtp connections and close ips down automatically. Its pretty slick. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 11:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting SMTP connection patterns Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.1382 USA 87.219.166.92 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.234 1 Croatia 84.61.135.611 Germany 83.84.74.2191 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.961 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.177 1 Kazakstan 82.158.0.2371 Spain 69.30.246.125 1 USA 200.168.86.224 1 Brazil 83.167.108.44 1 Russian Federation 75.41.79.2031 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting SMTP connection patterns
Of course, BlackIce does not support Windows 2003. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, October 12, 2006 3:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Importance: High That's why I now use Blackice Server from IIS. It can detect multiple smtp connections and close ips down automatically. Its pretty slick. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 11:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting SMTP connection patterns Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.1382 USA 87.219.166.92 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.234 1 Croatia 84.61.135.611 Germany 83.84.74.2191 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.961 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.177 1 Kazakstan 82.158.0.2371 Spain 69.30.246.125 1 USA 200.168.86.224 1 Brazil 83.167.108.44 1 Russian Federation 75.41.79.2031 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting SMTP connection patterns
Blackice runs perfect on Windows 2003 server. I posted the install instructions on this list a couple of weeks ago. Craig -- I believe some email servers will open a secondary connection as part of their spam checking. In that case, you might see 2 connections which would be legitimate. What setting did you change in blackice to drop those IPs with multiple connections? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Thursday, October 12, 2006 7:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Of course, BlackIce does not support Windows 2003. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, October 12, 2006 3:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Importance: High That's why I now use Blackice Server from IIS. It can detect multiple smtp connections and close ips down automatically. Its pretty slick. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 11:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting SMTP connection patterns Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.138 2 USA 87.219.166.9 2 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.2341 Croatia 84.61.135.61 1 Germany 83.84.74.219 1 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.96 1 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.1771 Kazakstan 82.158.0.237 1 Spain 69.30.246.125 1 USA 200.168.86.2241 Brazil 83.167.108.44 1 Russian Federation 75.41.79.203 1 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting SMTP connection patterns
Darrell, I wondered if that might be the case. Thanks for the info! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, October 12, 2006 4:44 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Interesting SMTP connection patterns Dave, That is really not that uncommon. I see this with very aggressive spammers who are trying to get the most spam through in the least amount of time and have no disregard for crashing the server they are sending spam to... Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dave Beckstrom writes: Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.1382 USA 87.219.166.92 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.234 1 Croatia 84.61.135.611 Germany 83.84.74.2191 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.961 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.177 1 Kazakstan 82.158.0.2371 Spain 69.30.246.125 1 USA 200.168.86.224 1 Brazil 83.167.108.44 1 Russian Federation 75.41.79.2031 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting SMTP connection patterns
Well, it didn't run for us. We tried and it caused random BSOD and ISS wouldn't provide any support. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 7:38 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Blackice runs perfect on Windows 2003 server. I posted the install instructions on this list a couple of weeks ago. Craig -- I believe some email servers will open a secondary connection as part of their spam checking. In that case, you might see 2 connections which would be legitimate. What setting did you change in blackice to drop those IPs with multiple connections? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Thursday, October 12, 2006 7:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Of course, BlackIce does not support Windows 2003. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, October 12, 2006 3:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Importance: High That's why I now use Blackice Server from IIS. It can detect multiple smtp connections and close ips down automatically. Its pretty slick. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 11:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting SMTP connection patterns Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.138 2 USA 87.219.166.9 2 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.2341 Croatia 84.61.135.61 1 Germany 83.84.74.219 1 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.96 1 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.1771 Kazakstan 82.158.0.237 1 Spain 69.30.246.125 1 USA 200.168.86.2241 Brazil 83.167.108.44 1 Russian Federation 75.41.79.203 1 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting SMTP connection patterns
Jay, I can tell you why it didn't run for you. You have to turn DEP (Data Execution Prevention) off on the server. That will eliminate the BSOD and blackice will run flawlessly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Thursday, October 12, 2006 8:46 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Well, it didn't run for us. We tried and it caused random BSOD and ISS wouldn't provide any support. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 7:38 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Blackice runs perfect on Windows 2003 server. I posted the install instructions on this list a couple of weeks ago. Craig -- I believe some email servers will open a secondary connection as part of their spam checking. In that case, you might see 2 connections which would be legitimate. What setting did you change in blackice to drop those IPs with multiple connections? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Thursday, October 12, 2006 7:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Of course, BlackIce does not support Windows 2003. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, October 12, 2006 3:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Importance: High That's why I now use Blackice Server from IIS. It can detect multiple smtp connections and close ips down automatically. Its pretty slick. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 11:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting SMTP connection patterns Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.1382 USA 87.219.166.92 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.234 1 Croatia 84.61.135.611 Germany 83.84.74.2191 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.961 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.177 1 Kazakstan 82.158.0.2371 Spain 69.30.246.125 1 USA 200.168.86.224 1 Brazil 83.167.108.44 1 Russian Federation 75.41.79.2031 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing
Re: [Declude.JunkMail] Interesting SMTP connection patterns
I would suggest not using Blackice to deal with spam issues, and using an anti-spam gateway that has greylisting, tarpiting, abuse detection and prevention, and address validation. Here's a list of products that have those capabilities that I know of: Alligate Gateway MS SMTP/Vamsoft ORF IMgate (or other open source Linux MTA's with anti-spam connection handling) I use Alligate Gateway and I swear by it. It blocks on average about 92% to 94% of connections to my gateways and the only FP's are caused by seriously non-compliant senders (not tolerating tarpitting of less than 1 minute if triggered and not spooling/retrying if greylisting is triggered). I'm not aware of Declude Interceptor yet supporting all of the capabilities that I outlined, but I would imagine that they are at least looking into these things. IMO, it is dangerous to block IP's for more than a very short time due to bad address attempts because there is plenty of this that happens from legitimate servers and from even one's own clients. The only time to place a time based block for an IP should be when a mail bombing attempt is detected, and these are very rare. Spammers doing brute force spam attacks (aka dictionary attacks) almost always do this in a distributed manner and most don't hit a server more than once per day for a 1 minute or less period with a particular IP. So blocking those IP's does little. My gateway handles up to 1.1 million connections a day, and I average around 700 concurrent connections, and the software averages maybe 5% CPU utilization on my box. My box also doles out about 2/3 of a year worth of tarpit time every day. This hampers spammers so much that many of them now disconnect after a very short period of being tarpitted. I have only had to whitelist one host from these protections in around 6 months of operation, so it takes care of itself. Matt Jay Sudowski - Handy Networks LLC wrote: Well, it didn't run for us. We tried and it caused random BSOD and ISS wouldn't provide any support. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 7:38 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Blackice runs perfect on Windows 2003 server. I posted the install instructions on this list a couple of weeks ago. Craig -- I believe some email servers will open a secondary connection as part of their spam checking. In that case, you might see 2 connections which would be legitimate. What setting did you change in blackice to drop those IPs with multiple connections? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Thursday, October 12, 2006 7:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Of course, BlackIce does not support Windows 2003. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Craig Edmonds Sent: Thursday, October 12, 2006 3:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Importance: High That's why I now use Blackice Server from IIS. It can detect multiple smtp connections and close ips down automatically. Its pretty slick. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 11:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting SMTP connection patterns Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.138 2 USA 87.219.166.9 2 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.234 1 Croatia 84.61.135.61 1 Germany 83.84.74.219 1 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.96 1 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.177 1 Kazakstan 82.158.0.237 1 Spain 69.30.246.125 1 USA 200.168.86.224 1 Brazil 83.167.108.44 1 Russian Federation 75.41.79.203 1 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED