Wandering Thoughts archives

2005-12-11

Weekly spam summary on December 10th, 2005

Once again I'll lead with Hotmail's spam numbers, because they continue to be bad:

  • one email accepted (probably spam).
  • 218 messages rejected because they came from non-Hotmail email addresses.
  • 111 messages sent to our spamtraps.
  • 30 messages refused because their sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (all for being in the SBL).

Now, on to the general numbers.

This week we received 17,296 email messages from 202 different IP addresses. Our SMTP server handled 18,730 sessions from 998 different IP addresses. This is about the same as last week, and once again we have two very active local users (6,993 and 4,302 messages) and the Linux kernel mailing list (2,225 messages) as a good part of the volume.

Connection volume is down from last week: 85,479 connections from at least 29,652 different IP addresses. The drop in the number of different IP addresses trying to send us mail is interesting. Broken down by day it goes:

Day Connections different IPs
Sunday 12,220 +4,480
Monday 12,910 +4,590
Tuesday 14,600 +5,070
Wednesday 11,270 +4,070
Thursday 12,140 +4,670
Friday 12,720 +3,750
Saturday 9,600 +3,010

Apart from a slight spike on Tuesday, this is basically flat. I'll probably not bother to report such flat numbers in detail in the future. (This table is still built by hand in a relatively hacky way. Besides, it takes up space.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24       5708    282K
81.56.74.165           5292    269K
69.105.51.114          3813    178K
66.62.47.34            3179    191K
80.128.0.0/12          2982    144K
69.15.141.50           2684    129K
213.96.252.240         2621    157K
219.238.168.124        2275    109K
213.123.26.91          2050   98400
219.128.0.0/12         1861   95064

This week's kernel level rejection stats are remarkably low.

  • 80.128.0.0/12 is a Deutsche Telekom block, apparently all dialups. DT has a serious open proxy problem, one virulent enough that we have firewalled their entire IP blocks for some time rather than play whack-a-mole.
  • reappearing from before are 81.56.74.165, 69.105.51.114, and 66.62.47.34. (Two of them from last week, even.)
  • 69.15.141.50 is on list.dsbl.org.
  • 219.238.168.124 is a Chinese IP address with no reverse DNS.
  • 213.96.252.240 and 213.123.26.91 both tried to feed us bad HELO names too often. Since 213.96.252.240 is a rima-tde.net IP address (with generic reverse DNS), I'm not terribly charitable towards it to start with. 213.123.26.91 is interesting; it is one of the machines that are 'smtpout.btconnect.com', but it HELO'd repeatedly as 'hesl02uker.he.local'.

Connection time rejection stats:

  15345 total
   7443 dynamic IP
   4688 bad or no reverse DNS
   1816 class bl-cbl
    325 class bl-ordb
    305 class bl-sbl
    300 class bl-dsbl
    139 class bl-spews
    103 class bl-njabl
    101 class bl-sdul
      8 class bl-opm

There are no particularly prolific single IP addresses.

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 716 67 704 65
Bad bounces 135 99 178 118

Bounces continue to slide, leading me to hope that spammers have more or less given up forging our domains as the MAIL FROM of their spam runs. The clear champion of bad HELO names is 69.105.51.114, a PacBell ADSL line (sigh); 213.123.26.91 comes in third.

(This is somewhat variable, as we don't promote IP addresses into the kernel blocklists on any predictable schedule. Possibly I should change that.)

spam/SpamSummary-2005-12-10 written at 00:40:54; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.