2006-04-16
Weekly spam summary on April 15th, 2006
This week, we:
- got 12,120 messages from 254 different IP addresses.
- handled 17,527 sessions from 926 different IP addresses.
- received 119,314 connections from at least 38,574 different IP addresses.
- hit a highwater of 17 connections being checked at once.
Volume is way down from last week; in fact it's back to the level I consider fairly quiet (although this volume still has a lot of spam in it). The per day table is not too interesting, except that it shows that last week's Saturday was clearly just the tail off of the huge Friday spike:
Day | Connections | different IPs |
Sunday | 17,719 | +7,170 |
Monday | 23,928 | +6,979 |
Tuesday | 17,543 | +5,988 |
Wednesday | 15,999 | +4,026 |
Thursday | 14,410 | +4,495 |
Friday | 15,791 | +5,077 |
Saturday | 13,924 | +4,839 |
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 193.70.192.0/24 19724 889K 204.2.106.228 5040 249K 212.216.176.0/24 4805 241K 61.128.0.0/10 4609 245K 80.25.131.71 4159 235K 222.146.58.254 3225 159K 80.190.233.48 2801 168K 68.167.80.52 2723 127K 80.37.150.139 2395 144K 218.0.0.0/11 2243 116K
This is a lot like last week, with the exception that iol.it
's and
libero.it
's mail servers in 193.70.192.0/24 seem to be trying very
hard to win some sort of dubious prize. (Based on spam I got on other
machines this week, I suspect it's mostly libero.it
.)
- 204.2.106.228 and 222.146.58.254 repeatedly tried to send us 'phish' spam.
- 80.25.131.71 reappears from last week. It's still a rima-tde.net dialup-oid machine with a far too generic DNS name. This week it got itself into the SBL for being a phish source, as SBL40228.
- 80.37.150.139 is another generic dialup-oid rima-tde.net machine.
- 80.190.233.48 hasn't improved their DNS from the last time we saw them.
- 68.167.80.52 is a 'dialup' covad.net machine, with a generic DNS name.
Connection time rejection stats:
29379 total 13606 dynamic IP 12012 bad or no reverse DNS 2556 class bl-cbl 144 class bl-dsbl 134 class bl-sdul 127 class bl-ordb 101 class bl-sbl 50 class bl-njabl 43 class bl-spews 8 class bl-opm
Finally Skylist Inc hosted people have gotten the hint and gone away, although they were pretty quiet last week too. I'm a bit surprised that the 'dynamic IP' category has dropped significantly, almost level with bad/missing reverse DNS.
Out of the top 30 most rejected IP addresses, only one tried it more
than 100 times: 83.9.215.189, a adsl.tpnet.pl
machine, tried 141
times. Fifteen of the top 30 are currently in the CBL (including
83.9.215.189), eight are currently in bl.spamcop.net
, and one is
in the SBL (our friend 80.25.131.71, in SBL40228).
The Hotmail numbers are even better than last week, and I've read reports in NANAE from other people that have been seeing the same thing. At this rate I may have to drop this report because it's too boring. This week:
- 14 messages accepted, from a wide variety of addresses this time around because we had a system event that led to quite a few students emailing us.
- 2 messages rejected because they came from non-Hotmail email addresses.
- no messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one in the CBL, one from Gilat Satcom).
Of course, Hotmail's problems are not over, seeing as how one of the rejected emails was from a user called 'masmegamilottery9'. Um, Hotmail, are you paying attention here?
And the final set of numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
709 | 63 | 872 | 79 |
Bad bounces | 70 | 53 | 92 | 66 |
I could be optimistic about a slight drop, but why bother? I'd just have to be gloomy next week (or the week after, or whenever).