Weekly spam summary on December 3rd, 2005
I'll lead with Hotmail's spam numbers:
- four emails accepted, and I know for sure that two of them were spam.
- 239 messages rejected because they came from non-Hotmail email addresses.
- 24 messages refused because their sender addresses had already hit our spamtraps.
- 10 messages refused due to their origin IP address (5 in the SBL, 4 in the CBL, and one from Nigeria).
The case for banning Hotmail entirely becomes more and more compelling. It's probably time to raise it with the rest of my group and my manager.
For the rest of it, this week we received 17,371 email messages from 236 different IP addresses. Our SMTP server handled 18,603 sessions from 1,015 different IP addresses. This is slightly down from last week, but still well up on our historical trends.
Looking at the mail traffic, I think that this is due to mailing lists (especially local ones) becoming more active and more status monitoring emails, and only to a couple of local users. The top two local users got 7,000 messages and 4,250 messages this week; the next most popular human recipient got only 160.
Our connection volume is down from last week, back to what I consider the (new) normal: 103,500 connections from at least 34,600 different IP addresses. Broken down by day, it goes:
While there's a little Wednesday peak, there was no Thursday jump; instead things fall off then, and continue to fall for the rest of the week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52 8632 518K 184.108.40.206/24 8619 429K 220.127.116.11 8551 435K 18.104.22.168 7017 357K 22.214.171.124 4963 298K 126.96.36.199 4923 295K 188.8.131.52 4086 245K 184.108.40.206 3308 155K 220.127.116.11 3027 145K 18.104.22.168 2920 140K
- Only 22.214.171.124 reappears from
previous top listings, and that from a long time ago. It's one of
our permanent blocks for very fast retries on a bad
- 126.96.36.199 is in SBL11354.
- 188.8.131.52 and 184.108.40.206 are part of SBL34212.
- 220.127.116.11 is a dialup-like proxad.net machine.
- 18.104.22.168 and 22.214.171.124 have bad or missing reverse DNS and are from areas (LACNIC and APNIC respectively) where we only accept connections from IP addresses with good reverse DNS. (126.96.36.199 is also in dnsbl.njabl.org.)
- 188.8.131.52 sent us bad
HELOnames too often (and is in bl.spamcop.net and several other DNSBls).
Unlike last week, we have a lot more entries with relatively high packet counts. But a lot of them look like spammers, as opposed to people trying to dump spam backscatter on us.
Connection time rejection stats:
24224 total 11287 dynamic IP 7981 bad or no reverse DNS 2641 class bl-cbl 586 class bl-ordb 535 class bl-sbl 307 class bl-dsbl 218 class bl-spews 176 class bl-sdul 150 class bl-njabl 7 class bl-opm
(As usual, other sources of connection time rejections are insignificant.)
There's no one as prolific as last week, although 184.108.40.206 and 220.127.116.11 made an attempt at it (both are in the CBL). In fact, five of the top 10 most prolific IP addresses are in the CBL; two are in the SBL, and three in dnsbl.njabl.org (two of which were also in list.dsbl.org). Despite the prolific DNSBl presence, the reasons for listing break down to one 'dialup', five lacking good reverse DNS, two in the SBL, and one each for list.dsbl.org and dnsbl.njabl.org.
I think I'll stop the breakdown now.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This week we have fewer sources of bad
HELO names, but they're a bit
more prolific; the most aggressive was 18.104.22.168, with 111
connections, followed by 22.214.171.124 with 66. (Last week the most
aggressive source had 52.)