Well, it looks like the spam levels this week have not only returned to their pre-McColo shutdown levels, but they’re beginning to surpass them.
Just before the McColo shutdown, my mail server was receiving roughly 75K emails per day during the week, somewhat less on the weekends. Afterwards, the level dropped to less than 20K per day, which is where it stayed through the end of the year. Since the beginning of the year the amount of mail hitting my mail server has been rising, hitting about 60K messages per day two weeks ago.
This past Monday, May 25, 74,372 messages hit the mail server. The next day, 80,312 — a new record for me (not that I’m trying for any records). Activity slacked off slightly after that with only 79,909 messages on Wednesday and 79,040 on Thursday before taking a dive on Friday when only 70,739 messages came knocking.
Not surprisingly, the amount of legitimate mail coming through has remained relatively stable, so all this increase is nothing but spam, most of which gets blocked outright at the server or shuffled off to the spam graveyard by the various spam filters I have in place.
You might be a spammer if …
A look at why the spam gets binned shows just how stupid the spammers are.
By far the biggest reason spam gets caught is because the spammer forges the email address to appear as if the sender is from the domain to which the spam is being sent. How many mail servers actually accept such email these days without requiring authentication first? The only way a local user of my systems is sending mail is by going through the internal mail server, not by connecting from a foreign IP address. This type of spam accounts for between 30% and 50% of all mail hitting my mail server.
A specialized variation of the above is impersonating the user being spammed. I get several of these a day via an email address I have forwarded from another domain, so blocking them at the SMTP server doesn’t do any good but bogofilter catches them just fine. Really, who would send a message to themselves with a subject of “Open or your a racial epithet” or “FW: Hi user@example.com visit me”? (Of course, I have to wonder about the intelligence of people who would actually bother to open such a message in the first place unless they’re analyzing their spam.)
Coming in at number two on the spam block meter is connections from IP addresses in the Spamhaus SBL and XBL lists. These addresses account for about 25% of all inbound SMTP connections.
Close behind in third place are bogus HELO hostnames, mainly localhost (sometimes fully-qualified as localhost.localdomain) and wireless_broadband_router. Less often the spammer uses the domain name, host name, or IP address of the host they’re connecting to. Bzzt, wrong.
The sender-SMTP MUST ensure that the <domain> parameter in a HELO command is a valid principal host domain name for the client host.
If anyone knows of a legitimate SMTP server that doesn’t provide the correct hostname in the HELO (or EHLO) command, I’d like to hear about it.
Though not too common, there is the occasional mangling of the SMTP protocol or perhaps attempts to break the server. Why else would email be sent to +.-_|@example.com or {%TO%}. Similarly, mail purporting to be from {$FROM} or {%FNAME%RND_NUM@%RND_DOM}.
