SEO

I noticed today that there was a significant amount of SMTP traffic to
my little box. When I looked at /var/log/daemon they had all rolled
over in less than 4-5 hours. Most of the entries were spamd reports,
all from the same netblocks.

When I query spamdb I see something like 350,000 greylisted entries to
hosts within the following netblocks:

205.209.128.0/18
208.77.40.0/21

Doing anything with spamdb (to filter or process it in some way) takes
quite a long time -- like over a minute.

Of course, every single one of these attempts has a bogus (and not
trapped) to/from email pair. Postfix would just reject these out of
hand if it ever saw them. I have not idea how long this has been going
on, but I'm seeing messages being rejected several times every second,
with a stall/stutter of just under a minute. And it has been going on
for hours -- at least all morning.

I blacklisted these netblocks (quite frankly, I don't care if there is a
legit message being passed from an IP in this range) and now my spamdb
is starting to shrink.

Anyone else seeing this? Is possible to blow up the spamd database in
this manner, if I hadn't intervened?

At any rate, not one piece of spam got through to my MUA, and I'm
reasonably sure my MTA hasn't seen a message in days (like I said, this
is a very little box that normally sees only a few incoming messages a
week). So, kudos to spamd.

It's just a weird phenom that I thought I'd pass on.
--
clvrmnky <mailto:spamtrap@clevermonkey.org>

Direct replies to this address will be blacklisted. Replace "spamtrap"
with my name to contact me directly.

Begin <fpmuqj$2e1$1@aioe.org>
On Fri, 22 Feb 2008 11:54:50 -0500,
Clever Monkey <spamtrap@clevermonkey.org.INVALID> wrote:
[spam flood]
> Anyone else seeing this?

You'd probably better look in places like NANAE, NANAS, or look the
blocks up in DNSBLs like spamcop's, than to ask here about spamfloods.


> Is possible to blow up the spamd database in this manner, if I hadn't
> intervened?

I don't know enough about spamd to comment in any detail. One doesn't
need to store that much data (ip, timestamp, maybe some flags, database
overhead) so multiply the size of the netblocks (2^14+2^11) with the
record size, and you have an estimate of the database size. It's
probably possible to fill the disk... eventually, given enough IPAs in
the database. It might be worth a look at what record size it uses.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.

Op Fri, 22 Feb 2008 17:54:50 +0100 schreef Clever Monkey
<spamtrap@clevermonkey.org.INVALID>:
> I noticed today that there was a significant amount of SMTP traffic to
> my little box. When I looked at /var/log/daemon they had all rolled
> over in less than 4-5 hours. Most of the entries were spamd reports,
> all from the same netblocks.
>
> When I query spamdb I see something like 350,000 greylisted entries to
> hosts within the following netblocks:
>
> 205.209.128.0/18
> 208.77.40.0/21
>
> [...]
>
> I blacklisted these netblocks (quite frankly, I don't care if there is a
> legit message being passed from an IP in this range)

Are you sure? Both blocks are registered with companies just 55 miles
from your location.

> [...]



--
Gemaakt met Opera's revolutionaire e-mailprogramma:
http://www.opera.com/mail/

Boudewijn Dijkstra wrote:
> Op Fri, 22 Feb 2008 17:54:50 +0100 schreef Clever Monkey
> <spamtrap@clevermonkey.org.INVALID>:
>> I noticed today that there was a significant amount of SMTP traffic to
>> my little box. When I looked at /var/log/daemon they had all rolled
>> over in less than 4-5 hours. Most of the entries were spamd reports,
>> all from the same netblocks.
>>
>> When I query spamdb I see something like 350,000 greylisted entries to
>> hosts within the following netblocks:
>>
>> 205.209.128.0/18
>> 208.77.40.0/21
>>
>> [...]
>>
>> I blacklisted these netblocks (quite frankly, I don't care if there is
>> a legit message being passed from an IP in this range)
>
> Are you sure? Both blocks are registered with companies just 55 miles
> from your location.
>
I'm pretty sure I'm not in or near Fremont, California, so I'm not sure
what you mean. GeoIP stuff is chancy, at best; those "girls in your
area looking for dates" web ads on some sites guess close, but not
quite, when I surf from home. Those ads agree with me about not
appearing to originate from anywhere near California.

Perhaps you are mistaking a two-letter ISO code for a two-letter state
abbreviation, both of which get used in whois records?

This pointless spam flood has stopped for now. I was more puzzled than
worried, as I don't see what such activity can possibly gain anyone.
--
clvrmnky <mailto:spamtrap@clevermonkey.org>

Direct replies to this address will be blacklisted. Replace "spamtrap"
with my name to contact me directly.

Op Mon, 25 Feb 2008 17:36:56 +0100 schreef Clever Monkey
<spamtrap@clevermonkey.org.INVALID>:
> Boudewijn Dijkstra wrote:
>> Op Fri, 22 Feb 2008 17:54:50 +0100 schreef Clever Monkey
>> <spamtrap@clevermonkey.org.INVALID>:
>>> I noticed today that there was a significant amount of SMTP traffic to
>>> my little box. When I looked at /var/log/daemon they had all rolled
>>> over in less than 4-5 hours. Most of the entries were spamd reports,
>>> all from the same netblocks.
>>>
>>> When I query spamdb I see something like 350,000 greylisted entries to
>>> hosts within the following netblocks:
>>>
>>> 205.209.128.0/18
>>> 208.77.40.0/21
>>>
>>> [...]
>>>
>>> I blacklisted these netblocks (quite frankly, I don't care if there is
>>> a legit message being passed from an IP in this range)
>> Are you sure? Both blocks are registered with companies just 55 miles
>> from your location.
>>
> I'm pretty sure I'm not in or near Fremont, California, so I'm not sure
> what you mean. GeoIP stuff is chancy, at best; those "girls in your
> area looking for dates" web ads on some sites guess close, but not
> quite, when I surf from home. Those ads agree with me about not
> appearing to originate from anywhere near California.

Woops.

> Perhaps you are mistaking a two-letter ISO code for a two-letter state
> abbreviation, both of which get used in whois records?

Yep, that's it. Extra-confusing for outsiders is the shared telephone
country code.

> This pointless spam flood has stopped for now. I was more puzzled than
> worried, as I don't see what such activity can possibly gain anyone.

You probably won't get a satisfactory answer even from the purpetrators.



--
Gemaakt met Opera's revolutionaire e-mailprogramma:
http://www.opera.com/mail/