Wandering Thoughts archives

2005-10-16

Weekly spam summary on October 15th, 2005

This week we received 12,137 email messages from 240 different IP addresses. Our SMTP server handled 51,672 sessions from 4,977 different IP addresses. Session volume is down from last week, but not by what I'd consider a lot.

Overall connections are down to roughly the numbers we last saw four weeks ago: 222,800 connections from at least 38,400 different IP addresses. We did hit a highwater of 50 connections in flight at once, though. This week I have per-day statistics:

Day Connections different IPs
Sunday 57,500 7,500
Monday 29,000 +5,700
Tuesday 21,500 +4,400
Wednesday 28,600 +5,700
Thursday 43,500 +5,200
Friday 28,700 +5,200
Saturday 13,900 +4,300

Both Sunday and Saturday are partial figures, which makes the Sunday numbers particularly startling. The maximum connections in flight highwater started the week at 22, jumped to 35 on Thursday, and hit 50 on Friday.

Kernel level SMTP packet filtering top ten:

Host/Mask           Packets   Bytes
66.154.124.9          16559    927K
212.216.176.0/24      10719    568K
61.128.0.0/10         10352    501K
192.35.251.3          10326    495K
218.102.53.0/24        7015    320K
213.4.149.69           6476    290K
213.4.149.64           5863    304K
66.179.44.52           5608    269K
222.166.82.174         5340    320K
207.170.62.202         5298    262K

This week only one Chinese network makes the top ten, and in third place instead of its first-place finish last week. A surprising number of the individual IP addresses are new.

  • 66.154.124.9 is in SBL24721. 'Surge Media' is apparently an accurate label.
  • 192.35.251.3 (bad HELO), 213.4.149.69 (terra.es bad reverse DNS), and 66.179.44.52 (bad HELO) are all repeat visitors to the top 10.
  • 222.166.82.174 is a hkcable.com.hk cablemodem customer.
  • everyone else was added due to unresolvable HELO names.

Connection-time rejection stats:

  30390 total
  16033 dynamic IP
   8219 bad or no reverse DNS
   2164 class bl-cbl
   1911 class bl-spews
    389 class bl-dsbl
    368 class bl-sbl
    249 class bl-sdul
     96 class bl-njabl
     64 class bl-ordb
      6 class bl-opm

The dynamic IP address count jumped significantly in part to a few machines seriously hammering on us before being firewalled away; one wanadoo.fr machine tried 1,269 connections before giving up. A few SPEWS-listed people were pretty persistent too.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 27390 1136 30842 1438
Bad bounces 5320 2739 8181 4121

We're still rejecting an annoying amount of backscatter, but we'll probably always be. Two IP addresses, 64.123.95.10 and 12.8.18.132, both did quite a lot of backscattering this week; no one else stands out compared to last week.

(Someday I will do a report on backscatter and bad HELOs by ASN.)

spam/SpamSummary-2005-10-15 written at 00:55:13; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.