[Asrg] Something I noticed...

der Mouse <mouse@Rodents-Montreal.ORG> Fri, 03 July 2009 20:57 UTC

Return-Path: <mouse@Sparkle.Rodents-Montreal.ORG>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 673FF3A6CD2 for <asrg@core3.amsl.com>; Fri, 3 Jul 2009 13:57:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[AWL=0.391, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id s9zAODBKgmHk for <asrg@core3.amsl.com>; Fri, 3 Jul 2009 13:57:53 -0700 (PDT)
Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG []) by core3.amsl.com (Postfix) with ESMTP id 5F4F53A6E2D for <asrg@irtf.org>; Fri, 3 Jul 2009 13:57:52 -0700 (PDT)
Received: (from mouse@localhost) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id QAA01431; Fri, 3 Jul 2009 16:57:49 -0400 (EDT)
From: der Mouse <mouse@Rodents-Montreal.ORG>
Message-Id: <200907032057.QAA01431@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
Date: Fri, 3 Jul 2009 16:44:17 -0400 (EDT)
To: asrg@irtf.org
Subject: [Asrg] Something I noticed...
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2009 20:57:54 -0000

To get back to the research we are supposeldy doing here....

I recently noticed something odd.  It could be nothing but a quirk of
my mail stream, or it could be something serious spamwatchers know all
about but I've missed - but it also might possibly be useful somehow.

My mailer does DNSBL checks.  One of them, probably the most useful
single one, is the Spamhaus Zen list.  But I noticed Zen-listed hosts
had a tendency to hammer on me despite 100% rejections (not surprising
in view of how much spammers, especially botnet-uysing spammers, pay
attention to things like SMTP response codes, ie, not at all).  So I
added a decoration: when a Zen-listed host tries to send me mail, it
goes into a router-based blacklist between my SMTP server and the
world, for 24 hours (longer if it retries during the 24 hours).  This
helps keep my logs clean, and that's the major value it holds for me;
I'm not under any delusions that anyone is paying any attention. :)

But, recently, looking at the plots of my router blacklist size, I
noticed some interesting artifacts.  On investigating, it turns out
that every once in a while (every few days), rather than puttering
along at its usual pace of a half-dozen events an hour, the Zen-driven
blacklist takes a big spike, jumping by something like 50 or 60 within
a couple of minutes.

I have speculation about what's behind this, but I'm sure many of you
do too (probably the same speculation in a lot of cases).  What I'm
really writing here for is, anyone have any idea for anything useful I
can do with the information?  I'll be happy to provide anyone who wants
with a feed of the underlying data, though I daresay those serious
about this stuff already have such data of their own.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse@rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B