Decrease in SMTP activity?

[Telarin]

Has anyone else noticed a marked decrease in SMTP traffic this week? I have my server set up as a 120s tarpit, so I typically have between 50-70 active inbound SMTP connections at any given time with peaks around 120-150. This week, I have averaged between 10-20 at a time, rarely peaking around 30-40 inbound simultaneous connections. Anyone else noticed this decrease, or am I just lucky?

[Farelf]

With your "sampling rates" it would have to be more than luck? As an ordinary addressee I haven't noticed anything out of the ordinary. Unfortunately, because of the (multiple) filter and reject thing, I have no idea what the actual volume of "attempts" might be. Volumes after filtering seem to have been (subjectively) showing just normal ups and downs. Hope someone with some decent data responds - it would be unusual in the extreme (though not impossible of course) if there was an actual broad-scale decrease in the absence of any major network problems.

[Telarin]

My sampling rates are based on actual inbound SMTP connections, so filter rates would not affect them at all since even filtered addesses still make an SMTP connection. I've noticed the change since Monday following the Thanksgiving weekend, and it is still very low today, Wednesday. None of my users have reported missing any anticipated emails, and no customers have complained about not being able to send emails to any of my users, so I don't suspect network problems.

We have a proactively monitored direct fiber connection, so usually my ISP calls me if there is a problem before I even notice it. Legitimate email only makes about 2-3% of my normal inbound connections (sad isn't it), so a change in my regular mail volume due to the holiday shouldn't affect total connections either. I will continue to monitor and post again if there are any change. If there are any other mail server admins out there that have noticed a change in connection volume (or lack of one), I'd love to hear one way or another.

[agsteele]

Has anyone else noticed a marked decrease in SMTP traffic this week? I have my server set up as a 120s tarpit, so I typically have between 50-70 active inbound SMTP connections at any given time with peaks around 120-150. This week, I have averaged between 10-20 at a time, rarely peaking around 30-40 inbound simultaneous connections. Anyone else noticed this decrease, or am I just lucky?

36951[/snapback]

You'd have to know what has been going on further down the line from you to know whether you're just lucky, something has happened outside your control to reduce the connections or whether this is trend.

Can you shed any further light?

Andrew

[Telarin]

Still no indication that there have been any upstream problems causing the decrease in connections. No complaints from any users or customers about being unable to send or receive emails (I have VERY vocal users, I would know if there was a problem with mail delivery). My SMTP traffic has increased over the last couple days back up to around 25-40 simultaneous inbound connections, but still not back into the range that I have observed for many many months. Still get my regular spikes around 1:00 AM- 3:00 AM where I have logged inbound traffic as high as 500 - 600 connections (gotta love spammers, sure glad none of it gets through). I guess noone else has observed a similar trend, so I must just have gotten a week off the spammers lists or something. Maybe all my spam reporting has gotten me listed as a trouble domain and gotten it taken off the lists (wishful thinking here). I'll let you know if anything changes, or if I find out anymore info.

[turetzsr]

Still no indication that there have been any upstream problems causing the decrease in connections. No complaints from any users or customers about being unable to send or receive emails

<snip>

37067[/snapback]

...Taking the risk of plunging into depths with which I have little knowledge: perhaps it's not an upstream *problem* but rather an upstream *enhancement* that is filtering known spam sources for you? Wouldn't that be a dream situation? <g>

[Telarin]

No, we have a direct internet connection, there is no port filtering, blocking, or firewalling provided for us. We run our own mail servers, so there is no opportunity for someone else to filter my mail for me, its all done in-house.

[turetzsr]

No, we have a direct internet connection, there is no port filtering, blocking, or firewalling provided for us. We run our own mail servers, so there is no opportunity for someone else to filter my mail for me, its all done in-house.

37070[/snapback]

...Feel free to ridicule me for my ignorance <g> but don't e-mail messages get sent from originating server to intermediate servers (through routers and switches, which can do filtering) to destination (your) server via IP packets, and thus be subject to filtering of which you are not aware?

[Telarin]

Nope, typical mail flow is from originating server to destination server. In some instances, it may be routed through an intermediate server on the sending side depening on the senders relationship with their ISP, whether or not they are using a smarthost, or direct sending, etc. However, generally the sending SMTP server creates a connection to port 25 on the destination SMTP server, and transfers the message directly.

[agsteele]

...Feel free to ridicule me for my ignorance

37071[/snapback]

Hi Steve T!

I was tempted but for only the briefest of moments

Andrew

[Telarin]

Nah, about the only time I will ridicule someone is if they are rude, and actively argue about something that they clearly know nothing about. Someone that even shows the slightest indication that they want to learn will generally get the best answer that I can provide and that time will allow

[turetzsr]

Nah, about the only time I will ridicule someone is if they are rude, and actively argue about something that they clearly know nothing about.

37074[/snapback]

...Glad you didn't find me rude but I certainly qualify for ridicule (no fair suppressing your inclination, Andrew! <g>) on the second count! <g>

Someone that even shows the slightest indication that they want to learn will generally get the best answer that I can provide and that time will allow

37074[/snapback]

...Thanks for your patient and very clear explanation!

[lcusdtech]

Nope, typical mail flow is from originating server to destination server. In some instances, it may be routed through an intermediate server on the sending side depening on the senders relationship with their ISP, whether or not they are using a smarthost, or direct sending, etc. However, generally the sending SMTP server creates a connection to port 25 on the destination SMTP server, and transfers the message directly.

37072[/snapback]

Even though this is true, an upstream router from you could be doing filtering. The IP packets still have to travel from router to router to get from the source to the destination. (the destination in this case being your SMTP server) So turetzsr is not completely ignorant. (in this case I don't have as mush restaint as Andrew)

[Telarin]

Even though this is true, an upstream router from you could be doing filtering.  The IP packets still have to travel from router to router to get from the source to the destination. (the destination in this case being your SMTP server)  So turetzsr is not completely ignorant. (in this case I don't have as mush restaint as Andrew)

37083[/snapback]

I suppose that packet filtering is theoretically possible. However this would be a major violation of my QoS agreement with my provider, as it would constitute failure to deliver packets addressed for my IP addresses, so I very seriously doubt this is what is happening.

[lcusdtech]

I suppose that packet filtering is theoretically possible. However this would be a major violation of my QoS agreement with my provider, as it would constitute failure to deliver packets addressed for my IP addresses, so I very seriously doubt this is what is happening.

37202[/snapback]

It's worth asking them the question. I'm not saying it is happening, just that it's possible.

[turetzsr]

I suppose that packet filtering is theoretically possible. However this would be a major violation of my QoS agreement with my provider, as it would constitute failure to deliver packets addressed for my IP addresses, so I very seriously doubt this is what is happening.

It's worth asking them the question. I'm not saying it is happening, just that it's possible.

37247[/snapback]

...Or might it be happening upstream of your immediate provider, unbeknownst to them and, therefore, not knowingly in violation of your QoS agreement?

[Farelf]

Numbers still reduced? Wouldn't seem to tie in with TOC monitoring, as a general index of traffic patterns. Maybe something there to get a handle on whatever it is that is happening? http://www.ironport.com/toc/index.html

[Telarin]

Numbers still reduced?  Wouldn't seem to tie in with TOC monitoring, as a general index of traffic patterns.  Maybe something there to get a handle on whatever it is that is happening? http://www.ironport.com/toc/index.html

37339[/snapback]

Yep, still seeing somewhat reduced numbers from my norm. Though they have come back up somewhat.