Weekly spam summary on April 15th, 2006
This week, we:
- got 12,120 messages from 254 different IP addresses.
- handled 17,527 sessions from 926 different IP addresses.
- received 119,314 connections from at least 38,574 different IP addresses.
- hit a highwater of 17 connections being checked at once.
Volume is way down from last week; in fact it's back to the level I consider fairly quiet (although this volume still has a lot of spam in it). The per day table is not too interesting, except that it shows that last week's Saturday was clearly just the tail off of the huge Friday spike:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52/24 19724 889K 184.108.40.206 5040 249K 220.127.116.11/24 4805 241K 18.104.22.168/10 4609 245K 22.214.171.124 4159 235K 126.96.36.199 3225 159K 188.8.131.52 2801 168K 184.108.40.206 2723 127K 220.127.116.11 2395 144K 18.104.22.168/11 2243 116K
This is a lot like last week, with the exception that
libero.it's mail servers in 22.214.171.124/24 seem to be trying very
hard to win some sort of dubious prize. (Based on spam I got on other
machines this week, I suspect it's mostly
- 126.96.36.199 and 188.8.131.52 repeatedly tried to send us 'phish' spam.
- 184.108.40.206 reappears from last week. It's still a rima-tde.net dialup-oid machine with a far too generic DNS name. This week it got itself into the SBL for being a phish source, as SBL40228.
- 220.127.116.11 is another generic dialup-oid rima-tde.net machine.
- 18.104.22.168 hasn't improved their DNS from the last time we saw them.
- 22.214.171.124 is a 'dialup' covad.net machine, with a generic DNS name.
Connection time rejection stats:
29379 total 13606 dynamic IP 12012 bad or no reverse DNS 2556 class bl-cbl 144 class bl-dsbl 134 class bl-sdul 127 class bl-ordb 101 class bl-sbl 50 class bl-njabl 43 class bl-spews 8 class bl-opm
Finally Skylist Inc hosted people have gotten the hint and gone away, although they were pretty quiet last week too. I'm a bit surprised that the 'dynamic IP' category has dropped significantly, almost level with bad/missing reverse DNS.
Out of the top 30 most rejected IP addresses, only one tried it more
than 100 times: 126.96.36.199, a
adsl.tpnet.pl machine, tried 141
times. Fifteen of the top 30 are currently in the CBL (including
188.8.131.52), eight are currently in
bl.spamcop.net, and one is
in the SBL (our friend 184.108.40.206, in SBL40228).
The Hotmail numbers are even better than last week, and I've read reports in NANAE from other people that have been seeing the same thing. At this rate I may have to drop this report because it's too boring. This week:
- 14 messages accepted, from a wide variety of addresses this time around because we had a system event that led to quite a few students emailing us.
- 2 messages rejected because they came from non-Hotmail email addresses.
- no messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one in the CBL, one from Gilat Satcom).
Of course, Hotmail's problems are not over, seeing as how one of the rejected emails was from a user called 'masmegamilottery9'. Um, Hotmail, are you paying attention here?
And the final set of numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I could be optimistic about a slight drop, but why bother? I'd just have to be gloomy next week (or the week after, or whenever).