Re: [Asrg] Need to know
Markus Stumpf <maex-lists-spam-ietf-asrg@space.net> Tue, 27 May 2003 20:31 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA00565 for <asrg-archive@odin.ietf.org>; Tue, 27 May 2003 16:31:24 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4RKUvH18880 for asrg-archive@odin.ietf.org; Tue, 27 May 2003 16:30:57 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4RKUvB18877 for <asrg-web-archive@optimus.ietf.org>; Tue, 27 May 2003 16:30:57 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA00490; Tue, 27 May 2003 16:30:53 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19Kl4S-000110-00; Tue, 27 May 2003 16:29:20 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19Kl4S-00010v-00; Tue, 27 May 2003 16:29:20 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4RKSYB18684; Tue, 27 May 2003 16:28:34 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4RKRXB18597 for <asrg@optimus.ietf.org>; Tue, 27 May 2003 16:27:33 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA00090 for <asrg@ietf.org>; Tue, 27 May 2003 16:27:28 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19Kl0u-0000xB-00 for asrg@ietf.org; Tue, 27 May 2003 16:25:40 -0400
Received: from moebius2.space.net ([195.30.1.100] ident=qmailr) by ietf-mx with smtp (Exim 4.12) id 19Kl0t-0000ww-00 for asrg@ietf.org; Tue, 27 May 2003 16:25:40 -0400
Received: (qmail 91583 invoked by uid 1013); 27 May 2003 20:27:05 -0000
From: Markus Stumpf <maex-lists-spam-ietf-asrg@space.net>
To: Scott Nelson <scott@spamwolf.com>
Cc: asrg@ietf.org
Subject: Re: [Asrg] Need to know
Message-ID: <20030527222705.F69236@Space.Net>
References: <aT5vaIe86J8qbrFzc02@x>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <aT5vaIe86J8qbrFzc02@x>; from scott@spamwolf.com on Tue, May 27, 2003 at 12:49:41AM -0700
Organization: SpaceNet AG, Muenchen, Germany
X-PGP-Fingerprint: 66 F3 75 79 01 D0 B8 5F 1A C7 77 88 4A B6 70 DF
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 27 May 2003 22:27:05 +0200
On Tue, May 27, 2003 at 12:49:41AM -0700, Scott Nelson wrote:
> Still, if we knew the average number of recipients for spam
> messages currently, and the average number for non-spam,
I used the maillog of one of our mailservers of the last 22 hours.
It saw
128582 RCPT TO commands in
110709 connections
the data is cleaned of 5 customers that did newsletter injects today
that consisted of about 100-250 recipients per connection).
Please note that this mailserver is used by our customers as an outgoing
relay and also by external users as a MX host. If you think this will
make the data inaccurate I could try to filter out our customers to
get better figures.
The distribution is
102252 1 (aka 102252 times 1 recipient per connection)
4562 2
1983 3
674 4
435 5
351 6
132 7
109 8
101 10
52 9
16 13
9 15
9 12
8 11
3 16
3 14
2 17
1 74
1 70
1 65
1 41
1 26
1 25
1 22
1 20
If I only use those hosts that weren't
a) rejected for sender address blocks (spam)
b) rejected for recipient address blocks (spam)
c) tagged because listed with DNSBLs
the distribution is
66269 1
2781 2
575 3
248 4
125 5
84 6
54 7
54 10
39 8
21 9
4 13
3 15
3 12
3 11
2 16
1 22
1 17
1 14
The distribution for all "spam" classified emails is:
35983 1
1781 2
1408 3
426 4
310 5
267 6
78 7
70 8
47 10
31 9
12 13
6 15
6 12
5 11
2 14
1 74
1 70
1 65
1 41
1 26
1 25
1 20
1 17
1 16
What is pretty interesting is that one host
md080081101018cl.neo-sky.com:80.81.101.18
first attacked in single connects with changing sender addresses
<offer..@aol.com>
and different target domains for about 3 hours, then it switched to
a 74 messages bulk inject to addresses [a-m]*@ at one single domain
from the sender address <offereo@aol.com> and 5 minutes later it fell
back to single connects (that still continue).
Hope this is kinda what you are looking for.
As a conclusion I'd say that due to the fact that 79.52% of the emails
already came in single recipient connections limiting SMTP conversations
to single recipients would
a) have minimal impact on the mail structure of the Internet
b) have minimal impact on the success of spammers
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] Need to know Scott Nelson
- Re: [Asrg] Need to know Yakov Shafranovich
- Re: [Asrg] Need to know Scott Nelson
- Re: [Asrg] Need to know Markus Stumpf
- Re: [Asrg] Need to know Scott Nelson
- Re: [Asrg] Need to know Markus Stumpf
- Re: [Asrg] Need to know Scott Nelson
- Re: [Asrg] Need to know Steven F Siirila