Wandering Thoughts: Recent Entries For 2006/09/30

Weekly spam summary on September 30th, 2006

This week, we:

• got 15,751 messages from 307 different IP addresses.
• handled 19,911 sessions from 1,047 different IP addresses.
• received 154,477 connections from at least 38,870 different IP addresses.
• hit a highwater of 9 connections being checked at once.

This is all about the same level as last week, or at most down a little bit. Oddly, we show a bit of a volume jump towards the end of the week:

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          56881   2958K
212.130.19.148         6818    347K
193.252.22.158         4744    285K
195.130.132.54         3380    203K
213.129.201.64         3189    153K
86.7.241.201           3188    153K
80.51.32.242           3132    188K
194.165.146.156        2988    143K
218.0.0.0/11           2897    141K
213.180.130.35         2742    165K

Apart from first place, this is about the same sort of volume as last week.

• 213.4.149.12 continues its stranglehold on first place from last week.
• 212.130.19.148, 193.252.22.158, and 80.51.32.242 also return from last week.
• 195.130.132.54 did the now-usual thing of trying to keep sending us stuff that had already hit our spamtraps.
• 213.129.201.64 reappears from August, still with a bad HELO greeting.
• 86.7.241.201 is an NTL cablemodem.
• 194.165.146.156 is a 'Wanadoo Jordan' IP address with no reverse DNS (and also is in relays.ordb.org).
• 213.180.130.35 is a poczta.onet.pl machine, and we don't talk to them.

Connection time rejection stats:

  34465 total
  17779 dynamic IP
  13422 bad or no reverse DNS
   1868 class bl-cbl
    403 class bl-dsbl
    215 class bl-sdul
    153 class bl-njabl
    130 class bl-spews
     45 class bl-ordb
     23 cuttingedgemedia.com
     16 class bl-sbl

Twelve out of the top 30 most rejected IP addresses were rejected 100 times or more, with the champion being 72.66.49.214 (196 times, for being a Verizon dynamic IP). 18 of the top 30 are currently in the CBL, and 9 are currently in bl.spamcop.net; this week, none are in the SBL.

This week's Hotmail stats are reasonably good:

• 9 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 28 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• no messages refused due to their origin IP address.

Seven of the accepted messages were legitimate, but the remaining two were advance fee fraud spam (sent from 219.95.240.138, a Malaysian IP address that's probably a tm.net.my ADSL line).

(The high number of actual messages is due to the usual cause: a student-facing system had a glitch and students promptly mailed in to tell people about it.)

And the final numbers:

I'm not really happy to see these numbers climbing, but at least they're not really bad; it's still in at the drip drip level, instead of a flood. There are no particularly big spike sources of either, although the largest single source of bounces appears to have been a spammer trying a new trick to get their messages through.

The bounces were all over, including bounces to E7D6 and 3E4B like last week, but the majority were to made-up usernames of the form <first>_<last>, where the first and last names looked like randomly chosen female-sounding Russian names; a representative example is 'violetta_mironova'.