by A colleague here at LISA told me yesterday that he had observed approximately a 50% drop in traffic on his E-mail servers. Naturally, this was first a cause for concern, but then he learned about the disconnection of McColo – a major botnet command and control hosting site in Northern California, USA. Their two up-stream ISPs pulled their plugs on Tuesday afternoon. See the story in the Washington Post.
Naturally, I experienced an immediate urge to check $employer’s anti-spam system for its observation on the situation.
We use Sophos E-mail appliances for our front-line spam filtering. The primary method they use for filtering spam is to download information on IP addresses that source Bad Stuff and simply drop incoming SMTP connections from those IP addresses. The first set of three graphs below shows what our appliance has recently done with incoming connections.
Pay attention to the scales on the graphs. The Tuesday graph shows the number of blocked connections (orange) hanging in the 25K to 50K per hour range, which was a typical business day for us. On Tuesday afternoon, that rate dropped down to between 10K and 20K per hour and is still there as of when I’m writing this posting (with the exception of an overnight spike around 00:00 CST on Wednesday).
I apologize for the poor quality of Tuesday’s graph, which was grabbed via screenshot in lieu of saving the graphic directly to disk.
Obviously, this doesn’t do us much good if the spam simply starts coming from new IP addresses that we don’t yet know are evil, so we also need to look at what happened with messages that got in to the appliance. The scales on the next graphs are closer to each other, so it’s easier to see that the delivered mail (orange) maintained its usual business-hours pattern on all three days. At the same time, dropped (blue) and quarantined (green) messages experienced a sharp decrease on Tuesday afternoon.
Naturally, the Bad Guys will find new places to house their infrastructure, but it’ll be a bit of a break for the rest of us for a little while.