Thread: Mail server load
Marc, I'd be interested in seeing the updated stats for this bought of virus transmission we're going through. Yesterday you had almost 1 for 1 valid email. By then I think I was getting about 3-4 per valid email but since then it's sky rocketed and it looks more like 30+ per 1 valid message. I'd just be interested if that's the same others are seeing since I believe the virus picks up my email address from the messages sent to the lists. -- Nigel Andrews
So far today:
neptune# awk '{print $7}' /var/log/amavisd | sort | uniq -c
137 BAD
1732 BANNED
4435 INFECTED
6029 Passed,
On Wed, 20 Aug 2003, Nigel J. Andrews wrote:
>
>
> Marc, I'd be interested in seeing the updated stats for this bought of virus
> transmission we're going through.
>
> Yesterday you had almost 1 for 1 valid email. By then I think I was getting
> about 3-4 per valid email but since then it's sky rocketed and it looks more
> like 30+ per 1 valid message.
>
> I'd just be interested if that's the same others are seeing since I believe the
> virus picks up my email address from the messages sent to the lists.
>
> --
> Nigel Andrews
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/docs/faqs/FAQ.html
>
Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy
Systems Administrator @ hub.org
primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org
> So far today:
>
> neptune# awk '{print $7}' /var/log/amavisd | sort | uniq -c
> 137 BAD
> 1732 BANNED
> 4435 INFECTED
> 6029 Passed,
And still some make it through given some of the messages that are
reaching the list today ("That movie" or "My details"). :-(
---------------
Francois
Home page: http://www.monpetitcoin.com/
"Would Descartes have programmed in Pascal?" - Umberto Eco
On Wed, 20 Aug 2003, Francois Suter wrote:
> > So far today:
> >
> > neptune# awk '{print $7}' /var/log/amavisd | sort | uniq -c
> > 137 BAD
> > 1732 BANNED
> > 4435 INFECTED
> > 6029 Passed,
>
> And still some make it through given some of the messages that are
> reaching the list today ("That movie" or "My details"). :-(
Actually, unless I'm mistaken, none have made it through ... at least all
the ones with subject's like "That movie" that I've opened (thank god for
Unix) didn't actually have anything attached, at least as far as those
coming from the list have been concerned ...
For instance, one to -hackers that I just received with a subject of
"Details" was 3.2k ... based on my personal mailbox, if the virus was
actually attached, it would have been >100k in size ...
On 20/08/2003 08:18 Nigel J. Andrews wrote: > > > Marc, I'd be interested in seeing the updated stats for this bought of > virus > transmission we're going through. > > Yesterday you had almost 1 for 1 valid email. By then I think I was > getting > about 3-4 per valid email but since then it's sky rocketed and it looks > more > like 30+ per 1 valid message. > > I'd just be interested if that's the same others are seeing since I > believe the > virus picks up my email address from the messages sent to the lists. There's a few come thru the list to me and I had a few more yesterday as part of the daily spam. Like most people from the non-M$ world, this sort of thing just passes me by :) -- Paul Thomas +------------------------------+---------------------------------------------+ | Thomas Micro Systems Limited | Software Solutions for the Smaller Business | | Computer Consultants | http://www.thomas-micro-systems-ltd.co.uk | +------------------------------+---------------------------------------------+
On Wed, 20 Aug 2003, Paul Thomas wrote:
> There's a few come thru the list to me and I had a few more yesterday as
> part of the daily spam. Like most people from the non-M$ world, this sort
> of thing just passes me by :)
I'm looking into how to add a 'taboo subject' filter onto the mj2 lists
themselves ... right now, I have a personal filter on:
elsif anyof (header :contains ["Subject"] "Approved",
header :contains ["Subject"] "Thank you!",
header :contains ["Subject"] "That movie",
header :contains ["Subject"] "Your details",
header :contains ["Subject"] "Wicked screensaver") {
fileinto "INBOX.garbage";
}
I can't think of anyone using anything but *maybe* the Approved one in
their Subject, so there shouldn't be too many false positives ...
hopefully hear something from the mj2 guys relatively soon ...
On Wed, 2003-08-20 at 08:11, The Hermit Hacker wrote:
> On Wed, 20 Aug 2003, Paul Thomas wrote:
>
> > There's a few come thru the list to me and I had a few more yesterday as
> > part of the daily spam. Like most people from the non-M$ world, this sort
> > of thing just passes me by :)
>
> I'm looking into how to add a 'taboo subject' filter onto the mj2 lists
> themselves ... right now, I have a personal filter on:
>
> elsif anyof (header :contains ["Subject"] "Approved",
> header :contains ["Subject"] "Thank you!",
> header :contains ["Subject"] "That movie",
> header :contains ["Subject"] "Your details",
> header :contains ["Subject"] "Wicked screensaver") {
> fileinto "INBOX.garbage";
> }
>
> I can't think of anyone using anything but *maybe* the Approved one in
> their Subject, so there shouldn't be too many false positives ...
> hopefully hear something from the mj2 guys relatively soon ...
Little does Marc know that the guys from 20th Century Fox have just
scrapped their idea to do a "History of PostgreSQL" move after repeated
attempts to contact anyone on the mailing lists never got through ;-)
Robert Treat
--
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL
"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
> Yesterday you had almost 1 for 1 valid email. By then I think I was getting
> about 3-4 per valid email but since then it's sky rocketed and it looks more
> like 30+ per 1 valid message.
FWIW, this is what I see in traffic to an address I've had to abandon
because of spam:
488 Aug 8
433 Aug 9
435 Aug 10
426 Aug 11
504 Aug 12
458 Aug 13
469 Aug 14
390 Aug 15
433 Aug 16
371 Aug 17
520 Aug 18
36473 Aug 19
35808 Aug 20
It's about 3pm local time here, so by midnight the stat for today will
probably be nearly double yesterday's total.
The spam traffic had been around 2K/day at the beginning of the year,
but tapered off to around 500 as you see above. This spike is ten times
the highest I've seen before. If I were actually downloading this crap,
and not rejecting it at the SMTP handshake, my DSL line would be
saturated :-(
regards, tom lane
16:00 ...
neptune# awk '{print $7}' /var/log/amavisd | sort | uniq -c
285 BAD
1807 BANNED
12289 INFECTED
11731 Passed,
5 SA
1 turned
Here's a normal day:
neptune# cat /var/log/amavisd.o | grep "Aug 17" | awk '{print $7}' | sort
| uniq -c
332 BAD
13 BANNED
938 INFECTED
3792 Passed,
On Wed, 20 Aug 2003, Tom Lane wrote:
> "Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
> > Yesterday you had almost 1 for 1 valid email. By then I think I was getting
> > about 3-4 per valid email but since then it's sky rocketed and it looks more
> > like 30+ per 1 valid message.
>
> FWIW, this is what I see in traffic to an address I've had to abandon
> because of spam:
>
> 488 Aug 8
> 433 Aug 9
> 435 Aug 10
> 426 Aug 11
> 504 Aug 12
> 458 Aug 13
> 469 Aug 14
> 390 Aug 15
> 433 Aug 16
> 371 Aug 17
> 520 Aug 18
> 36473 Aug 19
> 35808 Aug 20
>
> It's about 3pm local time here, so by midnight the stat for today will
> probably be nearly double yesterday's total.
>
> The spam traffic had been around 2K/day at the beginning of the year,
> but tapered off to around 500 as you see above. This spike is ten times
> the highest I've seen before. If I were actually downloading this crap,
> and not rejecting it at the SMTP handshake, my DSL line would be
> saturated :-(
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>
Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy
Systems Administrator @ hub.org
primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org
holy S**T!!
The Hermit Hacker wrote:
> 16:00 ...
>
> neptune# awk '{print $7}' /var/log/amavisd | sort | uniq -c
> 285 BAD
> 1807 BANNED
> 12289 INFECTED
> 11731 Passed,
> 5 SA
> 1 turned
>
> Here's a normal day:
>
> neptune# cat /var/log/amavisd.o | grep "Aug 17" | awk '{print $7}' | sort
> | uniq -c
> 332 BAD
> 13 BANNED
> 938 INFECTED
> 3792 Passed,
>
>
>
> On Wed, 20 Aug 2003, Tom Lane wrote:
>
>
>>"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
>>
>>>Yesterday you had almost 1 for 1 valid email. By then I think I was getting
>>>about 3-4 per valid email but since then it's sky rocketed and it looks more
>>>like 30+ per 1 valid message.
>>
>>FWIW, this is what I see in traffic to an address I've had to abandon
>>because of spam:
>>
>> 488 Aug 8
>> 433 Aug 9
>> 435 Aug 10
>> 426 Aug 11
>> 504 Aug 12
>> 458 Aug 13
>> 469 Aug 14
>> 390 Aug 15
>> 433 Aug 16
>> 371 Aug 17
>> 520 Aug 18
>>36473 Aug 19
>>35808 Aug 20
>>
>>It's about 3pm local time here, so by midnight the stat for today will
>>probably be nearly double yesterday's total.
>>
>>The spam traffic had been around 2K/day at the beginning of the year,
>>but tapered off to around 500 as you see above. This spike is ten times
>>the highest I've seen before. If I were actually downloading this crap,
>>and not rejecting it at the SMTP handshake, my DSL line would be
>>saturated :-(
>>
>> regards, tom lane
>>
>>---------------------------(end of broadcast)---------------------------
>>TIP 6: Have you searched our list archives?
>>
>> http://archives.postgresql.org
>>
>
>
> Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy
> Systems Administrator @ hub.org
> primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org
>
> ---------------------------(end of broadcast)---------------------------
> TIP 9: the planner will ignore your desire to choose an index scan if your
> joining column's datatypes do not match
>
On Wed, 20 Aug 2003, Dennis Gearon wrote:
> holy S**T!!
Particularly the 'Passed' number. Now I'm not subscribed to all of the lists
but I am on -general, -hackers and a couple of others like -interfaces and yet
I would say that the volume of email I'm seeing from the lists is far lower
than normal _not_ more by a factor of 3-ish.
BTW, I wasn't suggesting the virus emails I get come through the lists, was
just refering to the harvesting of my email address by the virus.
[Tom's numbers are absolutely amazing. I seem to be up to around 60 per minute
now]
>
>
> The Hermit Hacker wrote:
>
> > 16:00 ...
> >
> > neptune# awk '{print $7}' /var/log/amavisd | sort | uniq -c
> > 285 BAD
> > 1807 BANNED
> > 12289 INFECTED
> > 11731 Passed,
> > 5 SA
> > 1 turned
> >
> > Here's a normal day:
> >
> > neptune# cat /var/log/amavisd.o | grep "Aug 17" | awk '{print $7}' | sort
> > | uniq -c
> > 332 BAD
> > 13 BANNED
> > 938 INFECTED
> > 3792 Passed,
> >
> >
> >
> > On Wed, 20 Aug 2003, Tom Lane wrote:
> >
> >
> >>"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
> >>
> >>>Yesterday you had almost 1 for 1 valid email. By then I think I was getting
> >>>about 3-4 per valid email but since then it's sky rocketed and it looks more
> >>>like 30+ per 1 valid message.
> >>
> >>FWIW, this is what I see in traffic to an address I've had to abandon
> >>because of spam:
> >>
> >> 488 Aug 8
> >> 433 Aug 9
> >> 435 Aug 10
> >> 426 Aug 11
> >> 504 Aug 12
> >> 458 Aug 13
> >> 469 Aug 14
> >> 390 Aug 15
> >> 433 Aug 16
> >> 371 Aug 17
> >> 520 Aug 18
> >>36473 Aug 19
> >>35808 Aug 20
> >>
> >>It's about 3pm local time here, so by midnight the stat for today will
> >>probably be nearly double yesterday's total.
> >>
> >>The spam traffic had been around 2K/day at the beginning of the year,
> >>but tapered off to around 500 as you see above. This spike is ten times
> >>the highest I've seen before. If I were actually downloading this crap,
> >>and not rejecting it at the SMTP handshake, my DSL line would be
> >>saturated :-(
On Wed, 20 Aug 2003, Nigel J. Andrews wrote:
> On Wed, 20 Aug 2003, Dennis Gearon wrote:
>
> > holy S**T!!
>
> Particularly the 'Passed' number. Now I'm not subscribed to all of the lists
> but I am on -general, -hackers and a couple of others like -interfaces and yet
> I would say that the volume of email I'm seeing from the lists is far lower
> than normal _not_ more by a factor of 3-ish.
The # Passed is what amavisd passed through to majordomo2 ... majordomo2
then takes everything that amavisd marked as being spam and trashes those
... and then everything that is from ppl not subscribed to the lists has
to get approved by 'the moderator', which I'm currently going through ...
only 400 more to go, 399 of which are most likely stuff amavisd didn't
catch as spam *sigh*
Oh ... also consider that a *very* large portion of the messages that
Passed are also postmaster messages for messages bounced ... I have a
filter on my mail for that to put it into its own mailbox ... since Aug
18th, there have been 12622 messages delivered to that mailbox ... and
there is also all the subscribe/unsubscribe requests ... all of which
would have been Passed thorugh amavisd ...
>
> >
> >
> > The Hermit Hacker wrote:
> >
> > > 16:00 ...
> > >
> > > neptune# awk '{print $7}' /var/log/amavisd | sort | uniq -c
> > > 285 BAD
> > > 1807 BANNED
> > > 12289 INFECTED
> > > 11731 Passed,
> > > 5 SA
> > > 1 turned
> > >
> > > Here's a normal day:
> > >
> > > neptune# cat /var/log/amavisd.o | grep "Aug 17" | awk '{print $7}' | sort
> > > | uniq -c
> > > 332 BAD
> > > 13 BANNED
> > > 938 INFECTED
> > > 3792 Passed,
> > >
> > >
> > >
> > > On Wed, 20 Aug 2003, Tom Lane wrote:
> > >
> > >
> > >>"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
> > >>
> > >>>Yesterday you had almost 1 for 1 valid email. By then I think I was getting
> > >>>about 3-4 per valid email but since then it's sky rocketed and it looks more
> > >>>like 30+ per 1 valid message.
> > >>
> > >>FWIW, this is what I see in traffic to an address I've had to abandon
> > >>because of spam:
> > >>
> > >> 488 Aug 8
> > >> 433 Aug 9
> > >> 435 Aug 10
> > >> 426 Aug 11
> > >> 504 Aug 12
> > >> 458 Aug 13
> > >> 469 Aug 14
> > >> 390 Aug 15
> > >> 433 Aug 16
> > >> 371 Aug 17
> > >> 520 Aug 18
> > >>36473 Aug 19
> > >>35808 Aug 20
> > >>
> > >>It's about 3pm local time here, so by midnight the stat for today will
> > >>probably be nearly double yesterday's total.
> > >>
> > >>The spam traffic had been around 2K/day at the beginning of the year,
> > >>but tapered off to around 500 as you see above. This spike is ten times
> > >>the highest I've seen before. If I were actually downloading this crap,
> > >>and not rejecting it at the SMTP handshake, my DSL line would be
> > >>saturated :-(
>
>
Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy
Systems Administrator @ hub.org
primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org