Weekly spam summary on December 3rd, 2005
I'll lead with Hotmail's spam numbers:
- four emails accepted, and I know for sure that two of them were spam.
- 239 messages rejected because they came from non-Hotmail email addresses.
- 24 messages refused because their sender addresses had already hit our spamtraps.
- 10 messages refused due to their origin IP address (5 in the SBL, 4 in the CBL, and one from Nigeria).
The case for banning Hotmail entirely becomes more and more compelling. It's probably time to raise it with the rest of my group and my manager.
For the rest of it, this week we received 17,371 email messages from 236 different IP addresses. Our SMTP server handled 18,603 sessions from 1,015 different IP addresses. This is slightly down from last week, but still well up on our historical trends.
Looking at the mail traffic, I think that this is due to mailing lists (especially local ones) becoming more active and more status monitoring emails, and only to a couple of local users. The top two local users got 7,000 messages and 4,250 messages this week; the next most popular human recipient got only 160.
Our connection volume is down from last week, back to what I consider the (new) normal: 103,500 connections from at least 34,600 different IP addresses. Broken down by day, it goes:
While there's a little Wednesday peak, there was no Thursday jump; instead things fall off then, and continue to fall for the rest of the week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168 8632 518K 22.214.171.124/24 8619 429K 126.96.36.199 8551 435K 188.8.131.52 7017 357K 184.108.40.206 4963 298K 220.127.116.11 4923 295K 18.104.22.168 4086 245K 22.214.171.124 3308 155K 126.96.36.199 3027 145K 188.8.131.52 2920 140K
- Only 184.108.40.206 reappears from
previous top listings, and that from a long time ago. It's one of
our permanent blocks for very fast retries on a bad
- 220.127.116.11 is in SBL11354.
- 18.104.22.168 and 22.214.171.124 are part of SBL34212.
- 126.96.36.199 is a dialup-like proxad.net machine.
- 188.8.131.52 and 184.108.40.206 have bad or missing reverse DNS and are from areas (LACNIC and APNIC respectively) where we only accept connections from IP addresses with good reverse DNS. (220.127.116.11 is also in dnsbl.njabl.org.)
- 18.104.22.168 sent us bad
HELOnames too often (and is in bl.spamcop.net and several other DNSBls).
Unlike last week, we have a lot more entries with relatively high packet counts. But a lot of them look like spammers, as opposed to people trying to dump spam backscatter on us.
Connection time rejection stats:
24224 total 11287 dynamic IP 7981 bad or no reverse DNS 2641 class bl-cbl 586 class bl-ordb 535 class bl-sbl 307 class bl-dsbl 218 class bl-spews 176 class bl-sdul 150 class bl-njabl 7 class bl-opm
(As usual, other sources of connection time rejections are insignificant.)
There's no one as prolific as last week, although 22.214.171.124 and 126.96.36.199 made an attempt at it (both are in the CBL). In fact, five of the top 10 most prolific IP addresses are in the CBL; two are in the SBL, and three in dnsbl.njabl.org (two of which were also in list.dsbl.org). Despite the prolific DNSBl presence, the reasons for listing break down to one 'dialup', five lacking good reverse DNS, two in the SBL, and one each for list.dsbl.org and dnsbl.njabl.org.
I think I'll stop the breakdown now.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This week we have fewer sources of bad
HELO names, but they're a bit
more prolific; the most aggressive was 188.8.131.52, with 111
connections, followed by 184.108.40.206 with 66. (Last week the most
aggressive source had 52.)