Spam/virus stats for September 2003 (part 1/2)
- Good (up 8% on the month) means any inbound SMTP session that resulted in the delivery of one or more messages to a real user. This probably includes some unreported spam.
- Locally Blocked (down 3%) means inbound SMTP sessions rejected with "554" due to the connecting IP or resolved name being listed in the Domino server configuration field: "Deny connections from the following SMTP internet hostnames/IP addresses:".
- No such user (up 6%) means inbound SMTP sessions rejected with "550 no such user". See commentary below for further analysis of this phenomenon.
- DNSBL: Spamcop (down 2%) means inbound SMTP sessions rejected with "554" due to DNSBL listings on bl.spamcop.net.
- DNSBL: Abuse (down 4%) means inbound SMTP sessions rejected with "554" due to DNSBL listings on lists dealing primarily with abuse. The lion's share of these remain list.dsbl.org
- Others (up 2%) are explained in more detail in part 2 of this blog.
- DNSBL: Spamhausen (down 7%) means inbound SMTP sessions rejected with "554" due to DNSBL listings on lists dealing primarily with known spammers or spam support.
Three factors are noteworthy this month (see also part 2 of this blog for further commentary):
1. The absolute number of "good" emails has gone up this month. This is at least partly due to increased business activity here, though two significant DNS block lists (Osirusoft and monkeys.com) have been shut down in the past two months and so the amount of unreported spam in this figure is probably a little higher than usual.
2. Local blocking continues to be very effective and now kills more spam at source than DNSBLs. This seems set to continue.
3. The number of messages rejected with "550 no such user" has increased by 250%. This is due to the use of one of our domain names by a spammer in a spam run which seems to have been targetted largely at AOL users. Username parts used by the spammer in "from" addresses apparently in our domain were randomised and have never actually existed here. When these spams were queued at AOL for non-existent users there, the resulting delivery status notifications from AOL to our forged users were rejected.
Category: Spam Statistics
Technorati: Spam Statistics
1. Tony Kelleran01/10/2003 22:56:53
Homepage: http://www.dominodude.com
Love the stats! 
2. Stoomaroo09/10/2003 21:22:46
Regarding your "550 - No such user" -- I am looking at recommendations from IBM saying that:
"The most insidious types of attacks can occur when spammers attempt to use your SMTP mail server's directory against you. Spammers may use a ■name■ dictionary to send random name combinations as recipients of SMTP mail to your mail server. They then harvest responses to these ■dictionary■ mailings to build a list of valid e-mail addresses that can be sold or targeted for more spam in the future.
For example, in its default setting, the Domino SMTP task attempts to return mail that is undeliverable to the sender with a delivery failure message. When Domino operates in this mode, the spammer can use returned information to ■cleanse■ their dictionary of bad addresses by tracking subject, sender, and recipient information. Addresses for which the spammer receives non-delivery reports can be removed from their spamming list; other addresses are maintained as valid spam targets. This is called an SMTP Harvesting attack."
Great...do you find this a problem? A real consideration in your experience? IBM's response is to allow all this mail into your mail.box, and [basically] purge/analyze it manually...hmm, I dunno?
Unable to post a comment? Please read this for a possible explanation...
-