Wandering Thoughts archives

2005-12-04

Weekly spam summary on December 3rd, 2005

I'll lead with Hotmail's spam numbers:

  • four emails accepted, and I know for sure that two of them were spam.
  • 239 messages rejected because they came from non-Hotmail email addresses.
  • 24 messages refused because their sender addresses had already hit our spamtraps.
  • 10 messages refused due to their origin IP address (5 in the SBL, 4 in the CBL, and one from Nigeria).

The case for banning Hotmail entirely becomes more and more compelling. It's probably time to raise it with the rest of my group and my manager.

For the rest of it, this week we received 17,371 email messages from 236 different IP addresses. Our SMTP server handled 18,603 sessions from 1,015 different IP addresses. This is slightly down from last week, but still well up on our historical trends.

Looking at the mail traffic, I think that this is due to mailing lists (especially local ones) becoming more active and more status monitoring emails, and only to a couple of local users. The top two local users got 7,000 messages and 4,250 messages this week; the next most popular human recipient got only 160.

Our connection volume is down from last week, back to what I consider the (new) normal: 103,500 connections from at least 34,600 different IP addresses. Broken down by day, it goes:

Day Connections different IPs
Sunday 12,920 5,200
Monday 17,000 +5,590
Tuesday 15,750 +5,660
Wednesday 20,630 +6,580
Thursday 13,410 +4,210
Friday 15,000 +4,400
Saturday 8,800 +2,960

While there's a little Wednesday peak, there was no Thursday jump; instead things fall off then, and continue to fall for the rest of the week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
65.110.13.98           8632    518K
212.216.176.0/24       8619    429K
81.56.74.165           8551    435K
201.245.43.254         7017    357K
66.62.47.34            4963    298K
66.62.47.57            4923    295K
65.110.13.99           4086    245K
207.14.219.245         3308    155K
210.103.205.230        3027    145K
193.41.153.65          2920    140K
  • Only 193.41.153.65 reappears from previous top listings, and that from a long time ago. It's one of our permanent blocks for very fast retries on a bad HELO name.
  • 65.110.13.98 is in SBL11354.
  • 66.62.47.34 and 66.62.47.57 are part of SBL34212.
  • 81.56.74.165 is a dialup-like proxad.net machine.
  • 201.245.43.254 and 210.103.205.230 have bad or missing reverse DNS and are from areas (LACNIC and APNIC respectively) where we only accept connections from IP addresses with good reverse DNS. (210.103.205.230 is also in dnsbl.njabl.org.)
  • 207.14.219.245 sent us bad HELO names too often (and is in bl.spamcop.net and several other DNSBls).

Unlike last week, we have a lot more entries with relatively high packet counts. But a lot of them look like spammers, as opposed to people trying to dump spam backscatter on us.

Connection time rejection stats:

  24224 total
  11287 dynamic IP
   7981 bad or no reverse DNS
   2641 class bl-cbl
    586 class bl-ordb
    535 class bl-sbl
    307 class bl-dsbl
    218 class bl-spews
    176 class bl-sdul
    150 class bl-njabl
      7 class bl-opm

(As usual, other sources of connection time rejections are insignificant.)

There's no one as prolific as last week, although 68.207.108.73 and 210.207.185.214 made an attempt at it (both are in the CBL). In fact, five of the top 10 most prolific IP addresses are in the CBL; two are in the SBL, and three in dnsbl.njabl.org (two of which were also in list.dsbl.org). Despite the prolific DNSBl presence, the reasons for listing break down to one 'dialup', five lacking good reverse DNS, two in the SBL, and one each for list.dsbl.org and dnsbl.njabl.org.

I think I'll stop the breakdown now.

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 704 65 682 76
Bad bounces 178 118 190 98

This week we have fewer sources of bad HELO names, but they're a bit more prolific; the most aggressive was 195.63.35.42, with 111 connections, followed by 212.248.13.106 with 66. (Last week the most aggressive source had 52.)

spam/SpamSummary-2005-12-03 written at 01:39:17; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.