Weekly spam summary on December 31st, 2005
This week we received 12,270 email messages from 159 different IP addresses. Our SMTP server handled 31,972 sessions from 2,643 different IP addresses. Session volume is down from last week, which is a relief, although it's not back down to the historical levels yet.
However, connection volume has not dropped substantially from last week: 260,000 connections from at least 53,760 different IP addresses, with a highwater of 12 simultaneous connections being checked. Oddly, the number of different IPs has jumped substantially. Broken down by days:
The connections per day shows the major spam overhang from last weekend, followed by a fairly constant rain of incoming connections over the rest of the week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11 19352 973K 18.104.22.168 18992 848K 22.214.171.124 7596 334K 126.96.36.199 6931 319K 188.8.131.52 6738 309K 184.108.40.206 6699 402K 220.127.116.11 6541 314K 18.104.22.168 5641 278K 22.214.171.124 5193 249K 126.96.36.199 5090 224K
- 188.8.131.52 got blocked for sending us too much spam backscatter, and apparently kept generating it quite actively.
- 184.108.40.206 continues from last week, still using its bad
- 220.127.116.11, 18.104.22.168, 22.214.171.124, and 126.96.36.199 all
HELOnames at us.
- 188.8.131.52 and 184.108.40.206 are both considered 'dialup' machines.
- 220.127.116.11 is terra.es's main outbound server and has been blocked here for ages for being an active spam source.
- 18.104.22.168 sent mail to a spamtrap and then kept trying to send
more email to us with the same
Connection time rejection stats:
46350 total 27594 dynamic IP 12425 bad or no reverse DNS 4438 class bl-cbl 527 class bl-spews 321 class bl-dsbl 247 class bl-sdul 191 class bl-sbl 97 class bl-ordb 16 class bl-opm 7 class bl-njabl
The CBL and generic 'dynamic/dialup' hits are up compared to last week and dominate the rejection rate, which is a strong sign that many of the connection attempts are spam delivery attempts from compromised machines. A number of IPs made hundreds of attempts to connect to us (the most active was 22.214.171.124, with 424 attempts), and of the top 30 connecting IPs, 24 of them are on the CBL.
The other numbers aren't as bad as last week, but they're still not pleasant:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I think that both dropping a lot show that most of this week's load is
direct spam, instead of backscatter from spammers forging our domains
And to round out the last entry of the (nominal) year, here's the less depressing than usual Hotmail numbers:
- five email messages accepted, at least one of which seems to have been a spam backscatter bounce.
- 100 messages rejected because they came from non-Hotmail email addresses.
- 36 messages sent to our spamtraps.
- 10 messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one for being in the SBL and one from a telkom.co.za DSL line that's also on the CBL).
Apparently a number of Hotmail's spammers do take the holidays off.
Welcome to 2006. May it have less spam than 2005.