2005-10-16
Weekly spam summary on October 15th, 2005
This week we received 12,137 email messages from 240 different IP addresses. Our SMTP server handled 51,672 sessions from 4,977 different IP addresses. Session volume is down from last week, but not by what I'd consider a lot.
Overall connections are down to roughly the numbers we last saw four weeks ago: 222,800 connections from at least 38,400 different IP addresses. We did hit a highwater of 50 connections in flight at once, though. This week I have per-day statistics:
Day | Connections | different IPs |
Sunday | 57,500 | 7,500 |
Monday | 29,000 | +5,700 |
Tuesday | 21,500 | +4,400 |
Wednesday | 28,600 | +5,700 |
Thursday | 43,500 | +5,200 |
Friday | 28,700 | +5,200 |
Saturday | 13,900 | +4,300 |
Both Sunday and Saturday are partial figures, which makes the Sunday numbers particularly startling. The maximum connections in flight highwater started the week at 22, jumped to 35 on Thursday, and hit 50 on Friday.
Kernel level SMTP packet filtering top ten:
Host/Mask Packets Bytes 66.154.124.9 16559 927K 212.216.176.0/24 10719 568K 61.128.0.0/10 10352 501K 192.35.251.3 10326 495K 218.102.53.0/24 7015 320K 213.4.149.69 6476 290K 213.4.149.64 5863 304K 66.179.44.52 5608 269K 222.166.82.174 5340 320K 207.170.62.202 5298 262K
This week only one Chinese network makes the top ten, and in third place instead of its first-place finish last week. A surprising number of the individual IP addresses are new.
- 66.154.124.9 is in SBL24721. 'Surge Media' is apparently an accurate label.
- 192.35.251.3 (bad
HELO
), 213.4.149.69 (terra.es bad reverse DNS), and 66.179.44.52 (badHELO
) are all repeat visitors to the top 10. - 222.166.82.174 is a hkcable.com.hk cablemodem customer.
- everyone else was added due to unresolvable
HELO
names.
Connection-time rejection stats:
30390 total 16033 dynamic IP 8219 bad or no reverse DNS 2164 class bl-cbl 1911 class bl-spews 389 class bl-dsbl 368 class bl-sbl 249 class bl-sdul 96 class bl-njabl 64 class bl-ordb 6 class bl-opm
The dynamic IP address count jumped significantly in part to a few machines seriously hammering on us before being firewalled away; one wanadoo.fr machine tried 1,269 connections before giving up. A few SPEWS-listed people were pretty persistent too.
Other stats:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
27390 | 1136 | 30842 | 1438 |
Bad bounces | 5320 | 2739 | 8181 | 4121 |
We're still rejecting an annoying amount of backscatter, but we'll probably always be. Two IP addresses, 64.123.95.10 and 12.8.18.132, both did quite a lot of backscattering this week; no one else stands out compared to last week.
(Someday I will do a report on backscatter and bad HELO
s by ASN.)