Wandering Thoughts archives


Weekly spam summary on February 4th, 2006

Hotmail seems to be shuffling its numbers around significantly this week, to my surprise. I'm not sure the result is really better, but it's certainly different:

  • 4 email messages accepted from Hotmail, although 3 of them look a lot like typical advance fee fraud spam Hotmail addresses.
  • only 79 messages rejected because they came from non-Hotmail email addresses.
  • 138 messages sent to our spamtraps.
  • 27 messages refused because their sender addresses had already hit our spamtraps.
  • 20 messages refused due to their origin IP address (9 for being in the SBL, then a wide assortment I'm too lazy to break down in detail).

Everything is up except the non-Hotmail email address rejections, which have cratered. Maybe spammers have decided to give up on them and restrict themselves to strictly Hotmail addresses? Who knows.

The basic stats:

  • got 14,233 email messages from 230 different IP addresses.
  • handled 17,694 SMTP sessions from 941 different IP addresses.
  • received 130,000 connections from at least 52,159 different IP addresses.
  • only a highwater of 7 pending connections being processed at once.

All of this is just about the same as last week. The per-day table has no interesting fluctuations, so I'm skipping it.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes         6062    364K       5540    273K          4317    202K          3939    236K           3637    180K          3598    187K           3491    209K          2913    163K          2582    127K           2414    145K

Overall, I'd say the kernel level blocks were a little quieter than last week.

  • and reappear from last week
  • reappears from December 2005, still with an unresolvable HELO name.
  • is in SBL37385.
  • used an unresolvable HELO name.
  • is yet another centrum.cz machine.
  • repeatedly tried to send more mail from something that had tripped our spamtraps.

Connection time rejection stats:

  26458 total
  13291 dynamic IP
   8813 bad or no reverse DNS
   3267 class bl-cbl
    308 class bl-sbl
    133 class bl-dsbl
     70 class bl-njabl
     67 class bl-sdul
     66 class bl-spews
     35 class bl-ordb
      5 class bl-opm

Only one machine really hammered on the frontend this week; made 202 connection attempts before we blocked it harder for being in SBL37385. 17 of the top 30 rejected source IPs are in the CBL this week, three in the SBL (, plus in SBL36455 and in SBL19307), and 6 are currently in bl.spamcop.net.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 357 36 458 37
Bad bounces 87 55 100 68

There's no really big single source of bad HELOs, unlike last week;, at 74 before it went into the kernel blocks, is the highest. At least the numbers are relatively low.

spam/SpamSummary-2006-02-04 written at 01:12:58; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.