Weekly spam summary on September 17th, 2005
It's Saturday evening again, so it's time for the weekly spam roundup.
This week we received 12,500 email messages from 221 different IP addresses. This is about a typical email volume (perhaps a bit down) and a typical number of distinct IP addresses that we accept email from. (Most of the traffic comes from a few mailing lists and the campus email system.)
Our SMTP server handled 49,600 actual sessions from 5,200 different IP addresses. If you think this is a bad ratio of sessions to real email, just wait; it gets worse.
Overall connections are down from last week: 219,000 connections from at least 32,600 different IP addresses. The high water mark for the number of simultaneous connections being checked at once was up again, hitting 39 at some point this time.
Top 10 sources of incoming packets to our SMTP port that the kernel is configured to just drop on the floor:
Host/Mask Packets Bytes 126.96.36.199/24 10639 552K 188.8.131.52 9919 452K 184.108.40.206/24 5251 243K 220.127.116.11 4834 213K 18.104.22.168 4800 230K 22.214.171.124 4704 232K 126.96.36.199 4696 220K 188.8.131.52 4510 216K 184.108.40.206 4441 204K 220.127.116.11 4439 191K
I believe that this is the first week that no large netblock has made the top-10 list. Only 18.104.22.168 (mx.terra.es) is a repeat appearance; all the others are new. (The two /24s are repeats from last week too, but they don't count since they're now permanent entries in our kernel-level blocks.)
- 22.214.171.124 and 126.96.36.199 appear to be terra.es machines with bad reverse DNS. Since we've seen so much trouble from terra.es, we insist that any machines from their netblock at least have valid reverse DNS.
- 188.8.131.52 is a SPEWS-listed mail.uk.tiscali.com machine. Almost certainly we refused a lot of advance fee fraud email.
All the others
HELO'd with unresolvable names often enough
that we added them to the kernel-level filters for this week.
Connection-time rejection stats:
23905 total 11499 dynamic IP 6234 bad or no reverse DNS 1366 class bl-spews 1365 class bl-cbl 767 class bl-sbl 760 class bl-dsbl 417 reject sytebuilder.com 351 class bl-ordb 153 class bl-njabl 116 class bl-opm 43 class bl-sdul
All of the 'reject sytebuilder.com' rejections are of 184.108.40.206, aka members.networld.com; the two domains belong to the same people. sytebuilder.com spammed us sufficiently blatantly back in 2001 to have an entry on our permanent reject list, and apparently they woke up this week to try to send us a bunch more things.
HELOs and attempts to send bounces to nonexistent local users are
up somewhat from last week. The figures:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
(Since I finally scripted this report too, you'll be seeing it more often.)