[unisog] A little Storm data

Joseph Brennan brennan at columbia.edu
Thu Jul 19 14:29:57 GMT 2007

--On Wednesday, July 18, 2007 19:45 -0500 Haudy Kazemi <kaze0010 at umn.edu> 

> On Jul 12 2007, Joseph Brennan wrote:
>> Of 3,797 consecutive Storm messages yesterday:
>> Mailed from 	2,455 different IP addresses
>> URL to 		1,102 different IP addresses
>> This shows how widespread it is, that we got fewer than 2 messages
>> per IP, and the novel aspect that the web servers are also spread
>> across a wide range of 'owned' hosts.
>> One more thing-- no host appears as both a mail sender and web server.
> Can you run a reverse-dns report on the IP range, and then identify how
> many of these IPs either don't have any reverse-dns or are apparantly on
> regular consumer class dialup/DSL/cable modem connections?

The amount has been increasing.

Sunday:		 6,511
Monday:		 8,615
Tuesday:	13,123
Wednesday:	18,269

That 18,269 came from 6,274 different hosts and the URL in text
was 2,985 different hosts.  With this larger sample we finally saw
a few hosts in both lists, but only 4, and of those the host that
sent mail never referred to itself for the URL.  One of the mail
senders got listed in Spamhaus during the day.

Both the mail and web IPs are mostly dialup/dsl/cable judging by
their names.  The web hosts might all be.  Some of the mail hosts
are mail servers though, passing it along :-(

Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology

More information about the unisog mailing list