Wandering Thoughts archives

2005-09-18

Weekly spam summary on September 17th, 2005

It's Saturday evening again, so it's time for the weekly spam roundup.

This week we received 12,500 email messages from 221 different IP addresses. This is about a typical email volume (perhaps a bit down) and a typical number of distinct IP addresses that we accept email from. (Most of the traffic comes from a few mailing lists and the campus email system.)

Our SMTP server handled 49,600 actual sessions from 5,200 different IP addresses. If you think this is a bad ratio of sessions to real email, just wait; it gets worse.

Overall connections are down from last week: 219,000 connections from at least 32,600 different IP addresses. The high water mark for the number of simultaneous connections being checked at once was up again, hitting 39 at some point this time.

Top 10 sources of incoming packets to our SMTP port that the kernel is configured to just drop on the floor:

Host/Mask           Packets   Bytes
212.216.176.0/24      10639    552K
213.4.149.69           9919    452K
218.102.53.0/24        5251    243K
213.4.149.11           4834    213K
208.177.19.78          4800    230K
212.74.114.23          4704    232K
208.47.242.106         4696    220K
209.69.82.111          4510    216K
63.85.50.194           4441    204K
213.4.129.132          4439    191K

I believe that this is the first week that no large netblock has made the top-10 list. Only 213.4.149.11 (mx.terra.es) is a repeat appearance; all the others are new. (The two /24s are repeats from last week too, but they don't count since they're now permanent entries in our kernel-level blocks.)

  • 213.4.149.69 and 213.4.129.132 appear to be terra.es machines with bad reverse DNS. Since we've seen so much trouble from terra.es, we insist that any machines from their netblock at least have valid reverse DNS.
  • 212.74.114.23 is a SPEWS-listed mail.uk.tiscali.com machine. Almost certainly we refused a lot of advance fee fraud email.

All the others HELO'd with unresolvable names often enough that we added them to the kernel-level filters for this week.

Connection-time rejection stats:

  23905 total
  11499 dynamic IP
   6234 bad or no reverse DNS
   1366 class bl-spews
   1365 class bl-cbl
    767 class bl-sbl
    760 class bl-dsbl
    417 reject sytebuilder.com
    351 class bl-ordb
    153 class bl-njabl
    116 class bl-opm
     43 class bl-sdul

After the jump last week, the SBL numbers have gone back to normal. The SPEWS numbers seem to be due to a lot of reasonably determined sources, instead of a few big ones.

All of the 'reject sytebuilder.com' rejections are of 209.63.232.103, aka members.networld.com; the two domains belong to the same people. sytebuilder.com spammed us sufficiently blatantly back in 2001 to have an entry on our permanent reject list, and apparently they woke up this week to try to send us a bunch more things.

Bad HELOs and attempts to send bounces to nonexistent local users are up somewhat from last week. The figures:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 20758 1119 19091 828
Bad bounces 6226 3020 5594 2138

(Since I finally scripted this report too, you'll be seeing it more often.)

spam/SpamSummary-2005-09-17 written at 01:54:03; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.