[unisog] A little Storm data

Haudy Kazemi kaze0010 at umn.edu
Thu Jul 19 00:45:02 GMT 2007


Note: this message got stuck in a outgoing queue, hence the 2 IPs looked up 
now have less severe categorization flags than when I wrote this message.

On Jul 12 2007, Joseph Brennan wrote:

>
>Of 3,797 consecutive Storm messages yesterday:
>
>Mailed from 	2,455 different IP addresses
>URL to 		1,102 different IP addresses
>
>This shows how widespread it is, that we got fewer than 2 messages
>per IP, and the novel aspect that the web servers are also spread
>across a wide range of 'owned' hosts.
>
>One more thing-- no host appears as both a mail sender and web server.

Can you run a reverse-dns report on the IP range, and then identify how 
many of these IPs either don't have any reverse-dns or are apparantly on 
regular consumer class dialup/DSL/cable modem connections?

At the University of Minnesota, incoming emails are locally checked against 
several criteria that can lead to blocking. It has been working quite well 
in practice (personal experience shows little spam squeaking by, and few 
false positives where valid messages get blocked). Blocking reasons:

DNS - Reverse DNS
DSN - Delivery Status Notification
DUL - Dial-up Line or Dynamic IP Address
INS - Insecure Server
OPT - Opt-in/out
OVF - Originator Validation Failure
OBL - Originator Address Blocked
PRV - Protocol Violation
SPM - Known Source of Junk Mail
UAA - Unauthorized Access Attempt
USR - User Block
VIR - Virus Detected

Better descriptions are here:
https://www.umn.edu/dirtools/etc/blockreasons.html

I'd be curious to see what results you get if you try a few of the detected 
'Storm' IPs to see how the UMN email system is handling them:

https://www.umn.edu/dirtools/blockcheck



Results of run against two previously posted IPs:

https://www.umn.edu/dirtools/blockcheck?host=24.93.201.2 Dynamic IP Blocked 
Server has a dynamic IP address. You must route outgoing mail via your 
ISP's mail relay (aka nexthop/smarthost). UMN
 Blocked PBL Insecure Server Blocked Server is an open relay or proxy, or 
has been detected as being infected with a mail virus or trojan. CBL 
Insecure Server Blocked Server is an open relay or proxy, or has been 
detected as being infected with a mail virus or trojan. XBL DNS All checks 
OK No DNS problems found. Hostname: cpe-24-93-201-2.neo.res.rr.com.

https://www.umn.edu/dirtools/blockcheck?host=65.190.29.151 Dynamic IP 
Blocked Server has a dynamic IP address. You must route outgoing mail via 
your ISP's mail relay (aka nexthop/smarthost). UMN
 Blocked PBL DNS All checks OK No DNS problems found. Hostname: 
cpe-065-190-029-151.triad.res.rr.com.

Thanks,

Haudy Kazemi
University of Minnesota




More information about the unisog mailing list