Weekly spam summary on April 8th, 2006
This week, we:
- got 12,551 messages from 234 different IP addresses.
- handled 17,960 sessions from 979 different IP addresses.
- received 444,512 connections from at least 44,262 different IP addresses.
- hit a highwater of 50 connections being checked at once; 50 is the maximum number allowed.
Mail received and SMTP session volume is down a bit from last week, but connection volume has spiked to huge levels. The per day chart tells the story:
All I can say is yow. On Friday we had more connections than we usually have all week, and it's still going on today. Interestingly, the simultaneous connections highwater was hit Saturday, not Friday. (I don't have any explanation for the dip on Thursday; as usual, I could do with a program guide to the spammer show.)
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11/24 7552 374K 18.104.22.168 5182 293K 22.214.171.124/10 4314 219K 126.96.36.199 4261 210K 188.8.131.52/12 3612 176K 184.108.40.206 3013 145K 220.127.116.11 2928 149K 18.104.22.168 2638 130K 22.214.171.124 2278 116K 126.96.36.199 2271 109K
Overall this is actually down from last week. The specific IPs:
- 188.8.131.52 is a rima-tde.net IP that we put into the 'dialup' class because its hostname looks too generic.
- 184.108.40.206 and 220.127.116.11 both dinged us with apparent phish spam and then kept going (and going and going) once we blocked them.
- 18.104.22.168 is a Cox cablemodem or something.
- 22.214.171.124 is an Indian IP address with no reverse DNS.
- 126.96.36.199 sent too many bad
HELOnames our way. (It's been a while since any bad
HELOpeople were prolific enough to make the list.)
- 188.8.131.52 reappears from last week and many weeks before that. Perhaps someday datadragon.net (I think) will actually have working reverse DNS, and not be SBL39201, and thus the ability to talk to our SMTP server.
Connection time rejection stats:
33348 total 16907 dynamic IP 11962 bad or no reverse DNS 2989 class bl-cbl 349 class bl-ordb 164 class bl-dsbl 88 class bl-sdul 86 class bl-sbl 74 class bl-njabl 73 class bl-spews 39 SKYLIST INC 184.108.40.206/18 13 class bl-opm
Overall rejections are actually down from last week. I'm not sure what this means; zombies that retried a couple of times, but not enough to get past our greylisting into the actual rejections?
Out of the top 30 most rejected IP addresses, only three were
rejected 100 times or more: 220.127.116.11 (140 times), 18.104.22.168
(126 times), and 22.214.171.124 (123 times). Sixteen of the top 30
are currently in the CBL, four are currently in
and one, our friend 126.96.36.199, is in the SBL.
The Hotmail numbers:
- 14 messages accepted, again mostly from one real user.
- 4 messages rejected because they came from non-Hotmail email addresses.
- no messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (two in the CBL, one in SBL20693).
These are quite good numbers. Better yet Hotmail seems to have stopped letting spammers use @sympatico.ca email addresses, which is good news for Sympatico customers.
And finally, one last set of stats:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
We're basically in a holding pattern on these; I think it's hit the background noise level.