McColo and SPAM

Sat Dec 6 18:24:25 UTC 2008

The reason for that is our legit e-mail traffic pattern I guess. We probably see the same level of spam 24/7 but from 8am to 8pm GMT we'd get a lot of legit traffic from the few 100k pop3/imap/smtp users we have and as such you'd see the peaks and troughs caused by their usage.

Primarily they'd be Irish, but we'd have 10% or so in the UK/Rest of Europe aswell, so they'd fit in with the 8-8 peaks.

Paul

Paul Kelly
Technical Director
Blacknight Internet Solutions ltd
Hosting, Colocation, Dedicated servers 
IP Transit Services
Tel: +353 (0) 59 9183072
Lo-call: 1850 929 929
DDI: +353 (0) 59 9183091

e-mail: paul at blacknight.ie
web: http://www.blacknight.ie

Blacknight Internet Solutions Ltd,
Unit 12A,Barrowside Business Park,
Sleaty Road,
Graiguecullen,
Carlow,
Ireland

Company No.: 370845

> -----Original Message-----
> From: Neil [mailto:kngspook at gmail.com] 
> Sent: Saturday, December 06, 2008 1:33 PM
> To: Paul Kelly :: Blacknight
> Cc: Frank Bulk; 'Peter Serwe'; Skywing; nanog at nanog.org
> Subject: Re: McColo and SPAM
> 
> What's very interesting to me is the very rhythmic peaks-and-valleys  
> you show...  Seems to go up every day, down during the night;  
> gradually rising mon-wed, slight drops thurs-fri, and then big drop  
> sat, lower drop sun, and then jumps back on monday.
> 
> On 6 Dec 2008, at 02:10, Paul Kelly :: Blacknight wrote:
> 
> > We saw a dramatic decrease. Attached is our dnsbl mirror in 
> .ie, it  
> > mirrors spamhaus amoungst other things.
> >
> > The numbers are in 1000s of 1000s per 5 minute window. (so 2500k =  
> > 2.5m)
> >
> > You can see a dramatic decrease that corresponds with them going  
> > offline and then the spam level gradually coming back, but it's  
> > certainly not back full tilt yet.
> >
> > Paul
> >
> > Paul Kelly
> > Technical Director
> > Blacknight Internet Solutions ltd
> > Hosting, Colocation, Dedicated servers
> > IP Transit Services
> > Tel: +353 (0) 59 9183072
> > Lo-call: 1850 929 929
> > DDI: +353 (0) 59 9183091
> >
> > e-mail: paul at blacknight.ie
> > web: http://www.blacknight.ie
> >
> > Blacknight Internet Solutions Ltd,
> > Unit 12A,Barrowside Business Park,
> > Sleaty Road,
> > Graiguecullen,
> > Carlow,
> > Ireland
> >
> > Company No.: 370845
> > ________________________________________
> > From: Frank Bulk [frnkblk at iname.com]
> > Sent: 06 December 2008 03:33
> > To: 'Peter Serwe'; Skywing
> > Cc: nanog at nanog.org
> > Subject: RE: McColo and SPAM
> >
> > We experienced exactly no decrease with the McColo shut down a few  
> > weeks
> > back, even though we receive 2M+ messages per day.  It's 
> interesting  
> > that
> > each service provider's spam populations are as different as they  
> > are.  Some
> > experienced gigantic decreases, others didn't.  And it's 
> not like we  
> > have
> > just one domain.
> >
> > I know MessageLabs examines spam rates per industry type.
> >
> > Frank
> >
> > -----Original Message-----
> > From: Peter Serwe [mailto:peter.serwe at gmail.com]
> > Sent: Friday, December 05, 2008 2:57 PM
> > To: Skywing
> > Cc: nanog at nanog.org
> > Subject: Re: McColo and SPAM
> >
> > Certainly, I have seen a perceptual, yet completely subjective  
> > increase.
> >
> > I know major operators who have claimed to see a gigantic decrease.
> >
> > Peter
> >
> > On Fri, Dec 5, 2008 at 12:51 PM, Skywing 
> <Skywing at valhallalegends.com>
> > wrote:
> >> McColo hosted the command and control servers for spam 
> botnets and  
> >> didn't
> > originate spam directly, at least primarily, according to my  
> > understanding.
> >>
> >> - S
> >>
> >> -----Original Message-----
> >> From: Peter Serwe [mailto:peter.serwe at gmail.com]
> >> Sent: Friday, December 05, 2008 3:49 PM
> >> To: nanog at nanog.org
> >> Subject: Re: McColo and SPAM
> >>
> >> On Fri, Dec 5, 2008 at 11:34 AM,  <nanog-request at nanog.org> wrote:
> >>
> >>> Message: 1
> >>> Date: Fri, 05 Dec 2008 20:14:08 +0100
> >>> From: Revolver Onslaught <revolver.onslaught at gmail.com>
> >>> Subject: McColo and SPAM
> >>> To: nanog <nanog at merit.edu>
> >>> Message-ID: <49397D80.701 at gmail.com>
> >>> Content-Type: text/plain; charset=ISO-8859-1
> >>>
> >>> Hello,
> >>>
> >>> Since McColo closed, we noticed the spam was far more 
> intensive than
> > before.
> >>>
> >>> However, it seems the amount of spam is similar than than before.
> >>>
> >>> Do you feel the same ?
> >>>
> >>> Many thanks,
> >>> RO
> >>
> >> It would seem that the sources of SPAM have merely moved 
> since McColo
> >> was shut down and it's going to
> >> take some time for everyone's blackhole routes and RBL's 
> to catch up.
> >> I have personally noticed a higher
> >> delivered spam content in my own email accounts.
> >>
> >> Peter
> >>
> >>
> >> --
> >> ピーター
> >>
> >>
> >
> >
> >
> > --
> > ピーター
> >
> >
> > <aggregate-month.png>
> 