[Dshield] Extreme increase in spam attempts... any one else seeing similar event?

Castle, Shane scastle at co.boulder.co.us
Fri Aug 17 14:45:31 GMT 2007


No, my spam volume and percentages are pretty much constant for the
week:

Threats: Spam Report  	8/13/2007  	8/19/2007  	MDT
Spam Volume Trends 	
Time 			Inbound 	Outbound 	
8/13/2007 00:00 	117985 	
8/14/2007 00:00 	152457 	
8/15/2007 00:00 	108398 	
8/16/2007 00:00 	115857 	
8/17/2007 00:00 	41623 	
8/18/2007 00:00 	0 	
8/19/2007 00:00 	0 	
Spam Detection Summary 	
Total Inbound Spam Identified 	536320 	
Inbound Spam Volume	 		91.20% 	
Invalid Email Detected 			433156 	
Spam Beacons Detected 			51853 	
System Real Time Blackhole List 	0 	
Spam Policy Actions 	
Quarantine 	100543 	
Tag 	0 	
Deny 	435778 	
Other 	0 	 

Above is from MX Logic.  Note the inbound spam percentage.  That's just
sad.

--
Shane Castle

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Chris Phillips
Sent: Friday, August 17, 2007 08:26
To: list at lists.dshield.org
Subject: [Dshield] Extreme increase in spam attempts... any one else
seeing similar event?

Hi

Since yesterday (16 Aug 6pm EDT) I am seeing a HUGE increase in spam
activity:
sed -n '/^Aug 16 18/,$p' /var/log/smtpd.log | egrep 'Not allowed' | wc
-l
   12110
sed -n '/^Aug 16 18/,$p' /var/log/smtpd.log | egrep 'Not allowed' |
egrep UNKNOWN | wc -l
     480
(This is less than 24 hours ! )
vs
a previous 24 hour period...
sed -n '/^Aug 14 18/,/^Aug 15 18/p' /var/log/smtpd.log | egrep 'Not
allowed' | wc -l
     115
sed -n '/^Aug 14 18/,/^Aug 15 18/p' /var/log/smtpd.log | egrep 'Not
allowed' | egrep 'UNKNOWN' | wc -l
      38

The interesting factor is that the majority of this is coming from DNS
registered hosts:
480 out of 12110 = 4% not registered
as opposed to 38 out of 115 = 38% normally...

Any ideas about what might be happening?

(Also note that these almost totally  don't have valid local email
addresses as the recipient, though the domain seems to be correct
mostly.
[This is from hand sampling so I don't have specific #'s])

C

_________________________________________
SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
instructors, and a great tools and solutions expo. Register today!
http://www.sans.org/info/4651 (brochure code ISC)



More information about the list mailing list