Weekly spam summary on April 15th, 2006
This week, we:
- got 12,120 messages from 254 different IP addresses.
- handled 17,527 sessions from 926 different IP addresses.
- received 119,314 connections from at least 38,574 different IP addresses.
- hit a highwater of 17 connections being checked at once.
Volume is way down from last week; in fact it's back to the level I consider fairly quiet (although this volume still has a lot of spam in it). The per day table is not too interesting, except that it shows that last week's Saturday was clearly just the tail off of the huge Friday spike:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206/24 19724 889K 220.127.116.11 5040 249K 18.104.22.168/24 4805 241K 22.214.171.124/10 4609 245K 126.96.36.199 4159 235K 188.8.131.52 3225 159K 184.108.40.206 2801 168K 220.127.116.11 2723 127K 18.104.22.168 2395 144K 22.214.171.124/11 2243 116K
This is a lot like last week, with the exception that
libero.it's mail servers in 126.96.36.199/24 seem to be trying very
hard to win some sort of dubious prize. (Based on spam I got on other
machines this week, I suspect it's mostly
- 188.8.131.52 and 184.108.40.206 repeatedly tried to send us 'phish' spam.
- 220.127.116.11 reappears from last week. It's still a rima-tde.net dialup-oid machine with a far too generic DNS name. This week it got itself into the SBL for being a phish source, as SBL40228.
- 18.104.22.168 is another generic dialup-oid rima-tde.net machine.
- 22.214.171.124 hasn't improved their DNS from the last time we saw them.
- 126.96.36.199 is a 'dialup' covad.net machine, with a generic DNS name.
Connection time rejection stats:
29379 total 13606 dynamic IP 12012 bad or no reverse DNS 2556 class bl-cbl 144 class bl-dsbl 134 class bl-sdul 127 class bl-ordb 101 class bl-sbl 50 class bl-njabl 43 class bl-spews 8 class bl-opm
Finally Skylist Inc hosted people have gotten the hint and gone away, although they were pretty quiet last week too. I'm a bit surprised that the 'dynamic IP' category has dropped significantly, almost level with bad/missing reverse DNS.
Out of the top 30 most rejected IP addresses, only one tried it more
than 100 times: 188.8.131.52, a
adsl.tpnet.pl machine, tried 141
times. Fifteen of the top 30 are currently in the CBL (including
184.108.40.206), eight are currently in
bl.spamcop.net, and one is
in the SBL (our friend 220.127.116.11, in SBL40228).
The Hotmail numbers are even better than last week, and I've read reports in NANAE from other people that have been seeing the same thing. At this rate I may have to drop this report because it's too boring. This week:
- 14 messages accepted, from a wide variety of addresses this time around because we had a system event that led to quite a few students emailing us.
- 2 messages rejected because they came from non-Hotmail email addresses.
- no messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one in the CBL, one from Gilat Satcom).
Of course, Hotmail's problems are not over, seeing as how one of the rejected emails was from a user called 'masmegamilottery9'. Um, Hotmail, are you paying attention here?
And the final set of numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I could be optimistic about a slight drop, but why bother? I'd just have to be gloomy next week (or the week after, or whenever).