Main >

Viraptor's dev-log

Your mind-fluffer hopefully
« Hello world!
Mono-1.2.1 is out for Ubuntu »

Mailstats

So… mail stats.

I’ve been using dnsbl.sorbs.net, sbl-xbl.spamhaus.org and some less known rbls. These 2 host made it to config v.2, as they stopped 99.9% of spam. Other rbls have caught at most 20 messages since july 2005. It just doesn’t make sense to keep them and wait for their queries. Anything that can be stopped, will be stopped by sorbs and spamhaus. Another thing is that they nicely add to each other. Sorbs and spamhaus stop about 75% of spam each. Together they stop almost 100%, so it’s good to keep them both.

Now some graphs. Everyone loves them :)

Ham/Spam ratio hourly

This is hourly ham/spam ratio… another obvious thing that I didn’t see at first. It looks like a good base for new spamassassin rules. Give messages after 17.00 and before 3.00 bonus 50% for being spam and be free… It can be a problem for companies with worldwide contacts, but for a local (central/eastern-european in this case) it should work just fine.

Another thing is general spam distribution. Daily / monthly stats say nothing. Some raises, some falls, but with no scheme there. Same thing with ‘per minute’ graph, but there is a raise near 0/59 min - maybe spamming scripts are run from simple schedulers? If everyone was synchronized to ntps something could show up… As usual most interesting is hourly graph.

Hourly rbl hits

Quite close to general messages count - strange. Ok, maybe not so strange, but we can assume it shows some things. For example - spam came mostly to not published addresses, so it probably came from typical hijacked hosts, that received our mail. Web crawlers didn’t have much to say here. Ok - maybe they had - ~250 spams at 3.00 in the morning aren’t that normal.

Anyway these adrs. could only be found in outgoing mail to people at other companies, so there’s less spam outside typical 6..16 hours range — office hours. One of the addresses was published on mail webpage, but it didn’t get much more spam hits than others.
Summary:
We get spam from companies that know us. They are / exchange emails with zombies. Anything that doesn’t come in when we work can be almost safely deleted.

Watching that many ip numbers in logs made me think of… spamming ip numbers based 3d visualization :D I’m starting to like spam… this is going bad.

This entry was posted on Sunday, March 12th, 2006 at 12:55 am and is filed under Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get a Trackback link

No Comments Yet

You can be the first to comment!

Leave a comment