Weekly spam summary on May 13th, 2006
May 14, 2006
Unfortunately, the SMTP frontend died shortly after midnight on Tuesday morning, so some of the connection statistics are missing about 2.6 days. Given that, this week we:
At the Monday morning volume timestamp, we had received 210,731 connections from at least 7,733 different IP addresses; from this I suspect that that spam storm from Saturday of last week continued full-bore on last Sunday.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 13422 644K 188.8.131.52/24 6112 305K 184.108.40.206 4554 273K 220.127.116.11/10 3484 173K 18.104.22.168 3397 163K 22.214.171.124/13 3047 151K 126.96.36.199/11 2692 137K 188.8.131.52/11 2358 118K 184.108.40.206 2309 117K 220.127.116.11 2132 99671
Overall, this is a bit more active than last week, but it's mostly driven up by a few people; there seems to have been no overall volume surge.
Connection time rejection stats:
40201 total 19942 dynamic IP 16960 bad or no reverse DNS 2033 class bl-cbl 233 class bl-spews 119 class bl-sdul 118 class bl-dsbl 83 class bl-sbl 49 class bl-ordb 19 class bl-njabl 3 class bl-opm
Although this looks down from last week, the details make Sunday's
spam storm pop out. All 30 of the top 30 most rejected IP addresses
were rejected more than 100 times; the most active one was our friend
18.104.22.168, with 619. 27 of the top 30 are currently in the CBL, 4
are currently in
SBL39408 is one of those depressing SBL listings; it is for 22.214.171.124/15, which belongs to Vietnam Posts and Telecommunications Corp (VNN.VN). Created April 10th 2006, the two /16 halves of it are apparently the current worst and second worst /16 spam source networks on the Internet. Somehow I suspect that they are going to retain that status for a while.
Hotmail is doing much better this week:
I'm willing to tentatively declare that Hotmail has fixed their problem. Besides, as far as I can tell the problem free webmail provider is now Yahoo; I am getting significant advance fee fraud spam through Yahoo from a spam gang that they haven't stopped. (The situation is bad enough that I have started blocking non-US Yahoo operations as they spam us.)
The final numbers:
More than half (244 out of 448) of the bad
* * *
Atom feeds are available; see the bottom of most pages.