Weekly spam summary on March 4th, 2006
It's time for another weekly spam summary. First, let's look at Hotmail, which turns out to be running roughly the same as last week:
- no messages accepted.
- 12 messages rejected because they came from non-Hotmail email addresses.
- 49 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 6 messages refused due to their origin IP address (two in the SBL, one in each of the XBL and the CBL, one from Nigeria, and one from SAIX).
Hotmail might get points, except for two things: first, the spamtrap hits still show that far too much spam is coming from Hotmail, and second Hotmail started letting their webmail spammers use 'firstname.lastname@example.org' addresses this week. I feel for the Sympatico users who are about to get their email dumped by all sorts of people as a result of this.
The basic volume numbers:
- got 13,466 messages from 215 different IP addresses.
- handled 17,446 sessions from 769 different IP addresses.
- received 122,475 connections from at least 43,529 different IP addresses.
- a highwater of 11 connections being checked at once.
All of this is slightly down from last week (except for the highwater, which means we had a larger burst of connections some time this week). The per day numbers are remarkably flat:
I have no explanation for the dip on Wednesday.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168 7106 361K 22.214.171.124/10 4000 211K 126.96.36.199/24 3980 193K 188.8.131.52 2914 175K 184.108.40.206 2242 103K 220.127.116.11/11 2123 109K 18.104.22.168 2017 92872 22.214.171.124/12 1964 101K 126.96.36.199 1961 94128 188.8.131.52/13 1908 97452
- 184.108.40.206 tripped our spamtrap detectors and then kept on mailing, I believe with phish email.
- 220.127.116.11 and 18.104.22.168 reappear from last week.
- 22.214.171.124 is a Turkish IP address that's on the CBL.
- 126.96.36.199 is a Kazakhstan IP address in dnsbl.njabl.org as an open relay.
Connection time rejection stats:
25306 total 12030 dynamic IP 9292 bad or no reverse DNS 2784 class bl-cbl 292 class bl-ordb 179 class bl-dsbl 121 class bl-spews 104 class bl-sbl 98 class bl-sdul 43 class bl-njabl 27 class bl-opm
Only one IP address, 188.8.131.52, was refused more than 100 times.
Thirteen of the top 30 most refused IPs are currently in the CBL and
eight are currently in
bl.spamcop.net; none are in the SBL.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This is about back to the old low numbers at
last. The leading contestant in the bad
HELO numbers is 184.108.40.206
(claiming to be
webserver.nss.local), with 141 rejections.