May 25, 2006

The ebb and flow of spam...

Spam's a weird thing. No matter what you do there's a whole great wad of it that gets flung around the internet. Yeah, I run SpamAssassin on my mailserver, have amavis scanning for virus mail with clamav, and have mt-blacklist installed on the blog, but that just slows things down.

Because of that, the recent (like last week) increase in the amount of e-mal spam and blog spam didn't really register as caused by anything special, even though the amount increased a lot. (Like a factor of five or six stuff getting through as e-mail and a factor of 10 or 12 coming through on the blog) That's kinda sad, that an increase like that goes by as noticed but unremarked.

It turns out, though, that there was a reason, and no it has nothing to do with nefarious doings on the dark and crusty edges of the IntarWeb.

I rebooted the server over the weekend.

Now, this wouldn't normally be remarkable in any way (though it is infrequent) except that one of the few things that I don't have preserved across reboots is my routing tables. And that wouldn't be all that special, except for a few weeks a while back I'd gone on a campaign of vicious black-hole routing machines that were making bogus trackback pings on Jane's website. The mt-tb.cgi program wasn't even there, so any hits on it that had a referrer showing it'd come from there were clearly bogus, and I threw in a reject route for 'em.

That was, for the record, a lot of reject routes. A few hundred, and they really could have been cleaned up (there were a number of netblocks clearly spamming) but I never bothered. Anyway, rebooting cleared 'em out and the spam just poured in. Ick.

Luckily I'd exited the shell I'd done most of 'em in at one point completely by accident, so a lot of the commands were in my bash history file. Chopped 'em out, stuck 'em in a file, and re-installed the routes, and the spam's definitely cut way back, both blog and e-mail.

I really hadn't realized how much of a difference it'd made, since the routes went in over the course of a couple of weeks, but when they went away... yow! Big difference, and bringing at least some of them back has made a big difference too.

I hadn't figured it'd make this big a difference, stopping that few machines. I'd mostly figured all this crap was coming from swarms of zombie PCs, and while I'm sure a lot of it is, there's apparently a good sized chunk that's coming from a relatively small number of big machines. Not a panacea for the spam problem, but heck, I'll take it.

Posted by Dan at May 25, 2006 06:42 PM | TrackBack (0)

Are you using the Spamhaus SBL list?

it's very good at catching that stuff, normally.

Spamassassin will use it, if network rules are turned on.

Posted by: Justin Mason at June 1, 2006 11:00 AM

Yep, I'm using it, and it does catch a lot. (I should clean out my spam folder -- there's about a half-gig of spam in there dating back to the beginning of the year) With enough volume, alas, stuff still slips through.

Volume's back down again. Dunno why, but I'll take it.

Posted by: Dan at June 2, 2006 08:21 AM