Weekly spam summary on March 18th, 2006
The basic volume numbers are that this week, we:
- got 13,909 messages from 248 different IP addresses.
- handled 18,580 sessions from 927 different IP addresses.
- received 195,437 connections from at least 36,864 different IP addresses.
- hit a highwater of 16 connections being checked at once.
These are mostly down from last week, although not as much as I would like to see. Again, the per day table is interesting:
Clearly some people really lit us up on Monday (probably a few very aggressive sources, since the number of different IPs only jumped by a bit over the usual).
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206 10562 513K 220.127.116.11 6375 366K 18.104.22.168/24 4705 239K 22.214.171.124 4200 207K 126.96.36.199 4020 193K 188.8.131.52/10 2434 124K 184.108.40.206 2102 125K 220.127.116.11 1930 92640 18.104.22.168 1876 87543 22.214.171.124 1723 103K
This week is an active one for individual IPs, going back to the days when they dominated the top ten.
- 126.96.36.199 aka the spammer 'save-mihaita.org' reappears from last week. Maybe they've finally given up and gone away.
- also reappears from last week.
- also reappearing from before are 188.8.131.52 (from last week), 184.108.40.206 (from last December), and 220.127.116.11 (from the week before last).
- 18.104.22.168 is another 'firstname.lastname@example.org' spam emitter, and got blocked for that.
- 22.214.171.124 is SPEWS-listed, and on
bl.spamcop.netso I suspect we're not missing much. (Some Googling suggests that it's spewing advance fee fraud spam at a decent clip.)
- 126.96.36.199 is a Philippines IP address without good reverse DNS.
- 188.8.131.52 smells too much like a twtelecom.net 'dialup' dynamic
IP address to us. Unfortunately I suspect that '
gen.twtelecom.net' is used by both dynamic-IP customers and static IP businesses, so we may have to stop blocking it someday.
(I hate ISPs who mix-master dynamic customers with static customers. I also hate ISPs that use generic reverse DNS even for static business IP addresses.)
Connection time rejection stats:
24495 total 12785 dynamic IP 7698 bad or no reverse DNS 2519 class bl-cbl 323 class bl-ordb 174 SKYLIST INC 184.108.40.206/18 161 class bl-dsbl 129 class bl-spews 127 dartmail.net 102 class bl-sbl 68 class bl-sdul 63 class bl-njabl 23 class bl-opm
I talked about Skylist last week; some Googling (especially in
Google Groups) will likely show why we block dartmail.net. This week
there were three IP addresses that were refused 100 times or more;
220.127.116.11 (155 times) and 18.104.22.168 and 22.214.171.124 (121
times each). Seven of the top 30 most refused IP addresses are currently
in the CBL, four are currently in
bl.spamcop.net, and none are in the
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
And finally the Hotmail numbers, because they continue to be pretty good:
- 2 messages accepted; they might even be legitimate ones this time around.
- 1 message rejected because it came from a non-Hotmail email address.
- 27 messages sent to our spamtraps.
- 10 messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (two for being in the CBL and one from Benin).
I'm not completely happy with all these and I'm wary about Hotmail backsliding (again), but I do now have a certain amount of measured hope. Hotmail may actually be taking spam seriously this time around (for however long it lasts before the next change in management priorities).