2005-10-02
Weekly spam summary on October 1st, 2005
This week we received 11,661 email messages from 245 different IP addresses. Our SMTP server handled 49,500 sessions from 5,900 different IP addresses. Email volume has held steady from last week, but session volume is down.
Overall connections are actually up from previous weeks: 251,000, from at least 41,000 different IP addresses. Our SMTP frontend hit 50 simultaneous pending connections early in the week, which is its maximum at the moment. Other statistics suggest that this time around, the changes are because spammers are trying to spam us.
Kernel level SMTP blocks:
Host/Mask Packets Bytes 218.102.53.0/24 10647 492K [*] 68.21.250.130 8784 411K 212.74.114.37 7860 388K 195.188.82.90 7582 354K [*] 213.4.149.11 7556 344K [*] 212.216.176.0/24 6075 325K [*] 67.116.92.82 5963 286K 216.130.96.132 5511 257K 66.192.184.35 5262 253K 64.212.161.229 4731 227K
The four marked entries reappeared from last week; the remainder are new.
- 212.74.114.37 is Tiscali UK's lead mail machine, and is on SPEWS.
- 66.192.184.35 is in what we consider to be twtelecom.net dynamic IP address space.
Everyone else got listed for sending us enough unresolvable HELO
greetings.
Connection-time rejection stats:
25588 total 13475 dynamic IP 6328 bad or no reverse DNS 2166 class bl-cbl 1691 class bl-spews 479 class bl-dsbl 404 class bl-sbl 233 class bl-ordb 107 class bl-sdul 63 class bl-njabl 4 class bl-opm
Nothing stands out in looking at detailed stats, which means that the big jump in CBL hits is probably from spammers trying to spam us.
Other stats:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
19943 | 1141 | 26297 | 1726 |
Bad bounces | 7087 | 3259 | 9866 | 4597 |
Spammers are still actively forging our domains, just not quite as often as last week. Such is life for a domain where they've been forging us for literally years. (I sometimes wish the University would sue a few of them, but the lawyers probably have many better things to do.)