[nsp-sec] A mystery - Where did the spam go?
Joel Rosenblatt
joel at columbia.edu
Mon Feb 25 11:52:59 EST 2008
Hi,
I may have mentioned this before, but we typically get between 2 and 3 million bounce messages a day to jra54449 at cs.columbia.edu - an ID that has never existed
at Columbia.
Over the last 20 days, the number of messages went from 2 million+ down to 13,354 and then back up to 1.1 million.
Looks like a smooth curve - very strange.
The raw data is attached. Can anyone correlate this with some other events going on over the last 20 days?
Regards,
Joel Rosenblatt
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/25
2,906,107 spam and other junk came from 310,768 unique IP addresses
(about 9 messages per host).
1,559,715 spam messages came from 207,884 unique IP addresses
(about 7 messages per host).
Of the 1,346,392 other junk,
1,159,373 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/24
2,999,846 spam and other junk came from 283,853 unique IP addresses
(about 10 messages per host).
1,471,387 spam messages came from 181,247 unique IP addresses
(about 8 messages per host).
Of the 1,528,459 other junk,
1,122,095 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/23
2,420,783 spam and other junk came from 310,464 unique IP addresses
(about 7 messages per host).
1,328,820 spam messages came from 204,425 unique IP addresses
(about 6 messages per host).
Of the 1,091,963 other junk,
808,994 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/22
1,884,703 spam and other junk came from 306,927 unique IP addresses
(about 6 messages per host).
1,444,464 spam messages came from 233,545 unique IP addresses
(about 6 messages per host).
Of the 440,239 other junk,
13,354 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/21
1,769,898 spam and other junk came from 306,127 unique IP addresses
(about 5 messages per host).
1,383,499 spam messages came from 231,439 unique IP addresses
(about 5 messages per host).
Of the 386,399 other junk,
15,719 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/20
1,710,441 spam and other junk came from 297,067 unique IP addresses
(about 5 messages per host).
1,355,004 spam messages came from 225,857 unique IP addresses
(about 5 messages per host).
Of the 355,437 other junk,
20,244 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/19
1,735,368 spam and other junk came from 281,528 unique IP addresses
(about 6 messages per host).
1,367,421 spam messages came from 221,424 unique IP addresses
(about 6 messages per host).
Of the 367,947 other junk,
28,097 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/18
1,265,875 spam and other junk came from 244,449 unique IP addresses
(about 5 messages per host).
1,001,064 spam messages came from 189,312 unique IP addresses
(about 5 messages per host).
Of the 264,811 other junk,
40,049 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/17
1,286,648 spam and other junk came from 260,175 unique IP addresses
(about 4 messages per host).
982,048 spam messages came from 193,182 unique IP addresses
(about 5 messages per host).
Of the 304,600 other junk,
48,024 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/16
1,378,846 spam and other junk came from 267,850 unique IP addresses
(about 5 messages per host).
1,009,491 spam messages came from 201,554 unique IP addresses
(about 5 messages per host).
Of the 369,355 other junk,
66,355 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/15
1,663,446 spam and other junk came from 283,030 unique IP addresses
(about 5 messages per host).
1,185,536 spam messages came from 213,651 unique IP addresses
(about 5 messages per host).
Of the 477,910 other junk,
79,870 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/14
1,567,988 spam and other junk came from 289,094 unique IP addresses
(about 5 messages per host).
1,156,018 spam messages came from 220,738 unique IP addresses
(about 5 messages per host).
Of the 411,970 other junk,
103,643 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/13
1,635,305 spam and other junk came from 307,324 unique IP addresses
(about 5 messages per host).
1,129,189 spam messages came from 228,175 unique IP addresses
(about 4 messages per host).
Of the 506,116 other junk,
125,592 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/12
1,987,493 spam and other junk came from 310,297 unique IP addresses
(about 6 messages per host).
1,081,153 spam messages came from 209,488 unique IP addresses
(about 5 messages per host).
Of the 906,340 other junk,
626,920 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/11
3,494,689 spam and other junk came from 362,917 unique IP addresses
(about 9 messages per host).
1,032,101 spam messages came from 212,579 unique IP addresses
(about 4 messages per host).
Of the 2,462,588 other junk,
2,221,177 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/10
2,845,870 spam and other junk came from 333,139 unique IP addresses
(about 8 messages per host).
1,071,179 spam messages came from 199,087 unique IP addresses
(about 5 messages per host).
Of the 1,774,691 other junk,
1,481,728 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/9
3,788,417 spam and other junk came from 385,627 unique IP addresses
(about 9 messages per host).
1,103,195 spam messages came from 218,319 unique IP addresses
(about 5 messages per host).
Of the 2,685,222 other junk,
2,404,150 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/8
3,365,998 spam and other junk came from 353,895 unique IP addresses
(about 9 messages per host).
1,006,467 spam messages came from 202,634 unique IP addresses
(about 4 messages per host).
Of the 2,359,531 other junk,
2,134,948 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/7
3,434,525 spam and other junk came from 328,424 unique IP addresses
(about 10 messages per host).
962,887 spam messages came from 187,854 unique IP addresses
(about 5 messages per host).
Of the 2,471,638 other junk,
2,281,857 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/6
3,365,600 spam and other junk came from 320,483 unique IP addresses
(about 10 messages per host).
1,131,277 spam messages came from 189,093 unique IP addresses
(about 5 messages per host).
Of the 2,234,323 other junk,
2,039,194 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
--------------------------------------------------
WHERE SPAM AND OTHER JUNK CAME FROM - 2/5
3,027,266 spam and other junk came from 314,837 unique IP addresses
(about 9 messages per host).
1,040,211 spam messages came from 185,441 unique IP addresses
(about 5 messages per host).
Of the 1,987,055 other junk,
1,766,979 were bounces to jra54449 at cs.columbia.edu, an address
that has never existed (most count as "null to invalid rcpt").
--------------------------------------------------
More information about the nsp-security
mailing list