Wandering Thoughts archives


Weekly spam summary on February 11th, 2006

Hotmail has been startlingly quiet this week. The numbers:

  • One message accepted.
  • 24 messages rejected because they came from non-Hotmail email addresses.
  • 68 messages sent to our spamtraps.
  • 23 messages refused because their sender addresses had already hit our spamtraps.
  • 10 messages refused due to their origin IP address (two in the SBL, one in the CBL, and then the rest from an assortment of places we pretty much don't talk to any more).

Hotmail may actually be dealing with its spam problems. Or this week might be an anomaly; I expect I'll be dubious about Hotmail for quite a while.

The basic stats:

  • got 14,062 messages from 224 different IP addresses.
  • handled 27,174 sessions from 1,771 different IP addresses.
  • received 161,000 connections from at least 53,153 different IP addresses.
  • a highwater of 16 connections being checked at once.

The session and connection volume is up from last week. Connection volume fluctuates significantly during the week:

Day Connections different IPs
Sunday 18,588 +8,532
Monday 22,867 +9,203
Tuesday 21,045 +7,389
Wednesday 23,197 +6,951
Thursday 35,896 +7,632
Friday 23,177 +7,674
Saturday 16,074 +5,772

(Unfortunately, Thursday's numbers may be because of something I did that day. It seems I really should automate more things.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes       5455    276K          5218    272K         2820    142K          2692    133K          2561    120K           2396    121K         2133    109K         2000    100K         1948   91074            1906   89108

This week is even quieter than last week, plus has a lot more Chinese netblocks making the list (although tin.it earned top place). Of the rest:

  • and reappear from last week.
  • kept trying to feed us an unresolvable HELO name.
  • is a cox.net cablemodem customer with a 'dialup' reverse DNS.

Connection time rejection stats:

  31235 total
  15286 dynamic IP
  10452 bad or no reverse DNS
   3413 class bl-cbl
    403 class bl-sbl
    335 class bl-dsbl
    331 class bl-spews
    114 class bl-sdul
     51 class bl-ordb
     37 class bl-njabl
     11 class bl-opm

This was a big week for hammering on the frontend; 22 IP addresses were refused 100 times or more, with the winner being at 364 connections refused for having no reverse DNS. This week marks a record, with none of the top 30 refused IPs being in the CBL; three are in the SBL ( and in SBL37385, and in SBL34872).

In other trivial, aka tucksprofessionalservices.com is still trying to spam us. Better luck next incarnation; you've blown this one.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 8422 248 357 36
Bad bounces 814 557 87 55

Oh look; massively up compared to the past couple of weeks. I guess spammers are forging us as the MAIL FROM again. 34 different IP addresses tried bad HELOs a hundred times or more; the really big ones are (367 times), (269 times), and (237 times).

spam/SpamSummary-2006-02-11 written at 01:33:18; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.