Wandering Thoughts archives

2005-11-13

Weekly spam summary on November 12th, 2005

This week I'm leading with Hotmail's numbers, because they continue to be a depressing testament to Hotmail's spam problem. This week's Hotmail statistics are:

  • one email accepted, probably advance fee fraud spam from the Hotmail user name.
  • 14 Hotmail messages refused due to their originating IP addresses (4 in the SBL, 4 in the XBL, three from Nigeria, two from SAIX, and one from the Cote d'Ivoire).
  • 31 Hotmail messages refused because their sender addresses had already hit our spamtraps.
  • 251 messages from Hotmail refused because they came from non-Hotmail email addresses.

At this point it's hard to see a point to continuing to accept Hotmail's email. And it's not like Hotmail shows any signs of dealing with their problem; they've offloaded it onto the rest of us.

On to other stats. This week we received 13,175 email messages from 230 different IP addresses. Our SMTP server handled 22,087 sessions from 1,695 different IP addresses. Both of these numbers are about the same as last week.

Our connection volume is up from the depths of last week: 179,300 connections from at least 30,000 different IP addresses.

Day Connections different IPs
Sunday 10,000 4,230
Monday 12,400 +4,840
Tuesday 67,750 +4,410
Wednesday 38,000 +4,220
Thursday 14,960 +4,370
Friday 23,000 +4,450
Saturday 13,100 +3,550

Tuesday is responsible for more than a third of the connections all on its own, with a spillover into Wednesday and a bit of a spike on Wednesday. Otherwise things are pretty close to last week's daily rates.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
64.52.16.234          11730    548K
66.154.124.0/28       10428    584K
69.105.51.114          7892    369K
212.216.176.0/24       7723    386K
61.128.0.0/10          7210    351K
80.33.77.149           6128    309K
130.69.197.3           4675    281K
203.167.99.194         4410    212K
219.71.176.89          3577    172K
66.179.44.52           3286    158K

This is a skewed distribution, but not as skewed as last week.

  • 64.52.16.234, 69.105.51.114, and 66.179.44.52 continue to send us bad HELO names.
  • 203.167.99.194 is an etpi.com.ph machine with no reverse DNS.
  • 219.71.176.89 is a giga.net.tw cablemodem.
  • 80.33.77.149 and 130.69.197.3 both tripped our spamtraps and then persistently kept trying to mail us.

Connection time rejection stats:

  16386 total
   8270 dynamic IP
   4714 bad or no reverse DNS
   1407 class bl-cbl
    662 class bl-ordb
    504 class bl-sbl
    224 class bl-spews
     90 class bl-dsbl
     71 class bl-sdul
     54 class bl-njabl
      2 class bl-opm

The dynamic IP category jumped in significant part due to just one machine, 83.196.157.151 (a wanadoo.fr dialup), trying 1,796 times to connect before it got blocked harder. (And this happened on Tuesday.)

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 3613 165 1645 155
Bad bounces 774 570 1096 424

I'm not going to try to read meaning into the changed bounce count. There were definitely some quite persistent sources of bad HELO names this week.

spam/SpamSummary-2005-11-12 written at 00:52:53; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.