The day after the InternetX-DDoS

It seems to be an intersting time for the spam-gangs these weeks. On Tuesday, 2008-11-11, the webhoster McColo was disconnected from the internet because he hosted master server of spam bot nets. As a result of this spam rates worldwide dropped to about 50%. Then last week on Friday, 2008-11-21, the german hoster InternetX was attacked by a DDoS against their DNS servers. And this time spam rates dropped again remarkably. I doubt that this had a worldwide effect, but at least my monthly mailgraph looks amazing now.

Hardly any spam during InternetX-DDoS
Hardly any spam during InternetX-DDoS

I don’t think I have to comment on the graph. It’s quite easy to see what happened. But unfortunately the spam starts to rise again since the DDoS stopped the weekend.

Just one question remains: Why exactly was there so few spam during this DDoS?

  • Were the remaining bot nets busy with flooding InternetX and had no bandwith to send advertising?
  • Does InternetX provide service in any way for the spammers, and therefore the DDoS blocked them as well?
  • Do big parts of the spam delivery rely on DNS servers of InternetX and was therefore blocked as well?


On Tuesday night the amount of spam delivered to my server dropped to about the half of the former average. My mailserver was still doing well as there were still eMails coming in. But some hours after my discovery I found the explaination in an article of the famous german online and print IT publisher heise.

The two main ISPs of the American hoster McColo pulled the plug of his internet connection. Based in California McColo supposably gave refuge for master servers of several spam bot nets. The Washington Post covered this story as well. According to IronPort, spam levels fell by 66% in this night.

It’s a pity for all reputable customers of McColo’s – sorry, but I welcome this action. I hope you’ll quickly find a new hoster.

Some months ago I set up mailgraph on my server. Mailgraph is nice mail log analyser and visualiser. It watches Postfix or Sendmail log files and creates daily, weekly, monthly and yearly graphs. I regularly check these graphs. So I discovered the unusual low mail reject rates Tuesday night already. And even days later the spam levels stay at that level. Here is my weekly graph two days after McColo went offline:

Mailgraph two days after McColo's internet connection was cut
Mailgraph two days later

But I wanted to have my own numbers. So I quickly did some calculations and compared the first McColo-offline-day (Wednesday) numbers with the former average:

  • overall connections to my mailserver dropped to 48%
  • overall rejects as well are at 48%
  • rejects because of invalid helo hostname even are at 44%
  • mail rejects from known spam sources are down to 38%
  • rejects because of invalid recipient fell to 50%

Now it even got more interesting monitoring the statistics to find out when the spam rates start to rise again. Somehow I doubt that the bot net creators will fail to even get parts of their system back under control.