Weekly spam summary on November 5th, 2005
This week we received 12,872 email messages from 229 different IP addresses. Our SMTP server handled 22,584 sessions from 1,544 different IP addresses, which is significantly down from last week.
To go with it, overall connections are down a lot from last week: we only saw 93,950 connections from at least 31,000 different IP addresses. I believe this is the lowest connection rate I've seen since I started doing weekly stats, and probably for some time before then.
Compared to two weeks ago, the per day different IP counts are somewhat but not hugely lower, while the number of connections are way, way down and very consistent. (Note that Sunday and Saturday are partial days, as usual.)
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52/28 15309 857K 184.108.40.206 12654 592K 220.127.116.11/24 11677 605K 18.104.22.168 7166 401K 22.214.171.124 7122 342K 126.96.36.199 4513 211K 188.8.131.52 4063 195K 184.108.40.206/10 2852 144K 220.127.116.11 2336 131K 18.104.22.168 2264 109K
Again there's something odd. The usual top ten cutoff is at least 4,000 packets, but this week it's all the way down to 2,000; we simply haven't blocked very many active sources. On the other hand, there's a couple of very active sources.
- 22.214.171.124/28, SBL24721, continues its rampage.
- 126.96.36.199 and 188.8.131.52 are in SBL26860.
- 184.108.40.206 reappears from last week, still on the ORDB; maybe they'll give up soon or get fixed.
- 220.127.116.11 is a blueyonder.co.uk cablemodem.
- 18.104.22.168 is some machine in India with no reverse DNS; we haven't talked to anything from APNIC space without reverse DNS for years. It's also on the CBL and various other DNS blocklists.
- 22.214.171.124 reappears from here, still
with a bad
- 126.96.36.199 is a PacBell ADSL line with a bad
HELOname. (It's sometimes very tempting to block all PacBell ADSL lines, but at least some of them are statically assigned business lines. Unfortunately you can't tell which are which, since PacBell uses generic reverse DNS names.)
Connection time rejection stats:
13876 total 5903 dynamic IP 4777 bad or no reverse DNS 1730 class bl-cbl 286 class bl-sbl 283 class bl-spews 222 class bl-ordb 160 class bl-dsbl 95 class bl-njabl 77 class bl-sdul 8 class bl-opm
Unsurprisingly everything has gone down compared to last week, sometimes through the floor. No single source stands out.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
HELOs have dropped by a stone, although bounces are only down by
50% (from a lot fewer places, though).
Just to rain on any good news parade, Hotmail spam is up from last week:
- three actual email messages accepted; at least one was almost certainly spam.
- 11 Hotmail messages refused due to their originating IP addresses (8 in the SBL, one in the XBL, one from Gilat-Satcom again, one from Burkina Faso).
- 300 messages from Hotmail refused because they came from non-Hotmail email addresses.