One spam accounting for ~80% of all traffic tonight

Have you received spam with subjects like

  • Tjana pengar pa ett socialt ansvarstagande arbete
  • Skapa ett battre liv for dina medmanniskor och tjana pengar pa det
  • Vi erbjuder dig ett arbete pa fritiden, lon fran 90 EUR i timman
  • Fa 90 EUR kontant i handen for den forsta timmens arbete inom tre dagar

you’re certainly not alone (and not using our spam filters). At about 7 pm yesterday (Swedish time) someone thought it would be a good idea to send a massive burst of spam. It seems that for many of our customers, that single spam outbreak accounted for as much as 70-90% of the total traffic. It seems that all of them used “yahoo.nl” as sender domain, which (unsurprisingly) doesn’t use SPF.

Fortunately, the combination of Commtouch’s RPD and our own (Halon) outbreak signatures was able to block it entirely, from 6 pm.

We can see that a lot of this was also blocked at IP level. The “normal” amount of IP blocks is almost invisible in the graphs, compared to the spam outbreak. I’ve removed the axis of the graphs, but let me tell you this. One of our customers, which is a large hosting provider, blocked more than 4 million of those per hour. That sure is a pretty persistent spammer.