Weekly spam summary on May 20th, 2006
This week we:
- got 12,292 messages from 221 different IP addresses.
- handled 16,875 sessions from 807 different IP addresses.
- received 125,999 connections from at least 41,642 different IP
- hit a highwater of 11 connections being checked at once.
Nothing went wrong this week, thank goodness; no reboots, no SMTP
frontend restarts, nothing.
Weekly volume seems to be back to the normal level when things are
quiet; there's no sign of last week's Sunday
spike. The per-day statistics are sufficiently boring and flat (peaking
at 20,000 connections on Wednesday) that I'm not going to put them in.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes
220.127.116.11 11876 570K
18.104.22.168 4672 224K
22.214.171.124/24 4390 219K
126.96.36.199/10 3781 190K
188.8.131.52 2925 149K
184.108.40.206/11 2583 131K
220.127.116.11/11 2449 122K
18.104.22.168/12 2069 104K
22.214.171.124 2027 94761
126.96.36.199/13 1909 94116
This is very similar to last week's numbers, down to the first
- 188.8.131.52 returns from last week.
- 184.108.40.206 is on the DSBL.
- 220.127.116.11 and 18.104.22.168 are both 'dialup' machines as far as
we can tell from their generic DNS names.
Connection time rejection stats:
17407 dynamic IP
14992 bad or no reverse DNS
2390 class bl-cbl
278 class bl-dsbl
135 class bl-sdul
81 class bl-njabl
69 class bl-sbl
63 class bl-ordb
Out of curiosity, I took a look at the SBL rejections; the results
are kind of depressing. The 69 rejections were of 13 different IP
addresses; only two IP addresses (5 rejections total) were not
listed for being advance fee fraud sources.
Twelve out of the top 30 most rejected IP addresses were rejected more
than 100 times; the top rejection source was our friend 22.214.171.124
(497 times before it was re-blocked at the kernel level). 26 of the top
30 most rejected IP addresses are currently in the CBL; six of them are
Hotmail is backsliding; perhaps I should be surprised. This week's
- 1 message accepted, which was spam (I know, because I got it).
- 1 message rejected because it came from a non-Hotmail email
- 10 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit
- 1 message refused due to its origin IP address being in the CBL.
The last set of numbers:
||# this week
||# last week
Oh well, so much for not getting very many bounces. (I suppose
this still qualifies by other people's standards). As with last
week, (just) over half the bad
HELOs came from 126.96.36.199/24,
btconnect.com's outgoing SMTP server pool. The odds of this changing
any time soon seems low.