Weekly spam summary on May 27th, 2006
This week, we:
- got 11,513 messages from 227 different IP addresses.
- handled 18,277 sessions from 912 different IP addresses.
- received 133,583 connections from at least 42,540 different IP addresses.
- hit a highwater of 8 connections being checked at once.
This is about the same as last week. Tuesday, Wednesday, and Thursday were the busiest days this week for connections; I suppose that's not too surprising. (Interesting, email received peaked on Tuesday but connections peaked on Wednesday.)
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168 9190 441K 22.214.171.124 8320 423K 126.96.36.199 8173 403K 188.8.131.52 7246 357K 184.108.40.206 5729 283K 220.127.116.11 4480 215K 18.104.22.168/10 4443 221K 22.214.171.124 4321 259K 126.96.36.199/24 3905 234K 188.8.131.52 3768 241K
Overall this is significantly up from last week, although the leader is lower this time around; maybe they've finally given up hammering on us after several weeks.
- 184.108.40.206 and 220.127.116.11 return from last week; the former is now on the CBL, among other places.
- 18.104.22.168, 22.214.171.124, and 126.96.36.199 all tried to
shovel phish spam at us to an extent that we blocked them. Since
all of them used the same
MAIL FROMof 'email@example.com', they may all be being exploited by the same spammer.
- 188.8.131.52 is in NJABL.
- 184.108.40.206 is a poczta.onet.pl mail sending machine; we have blocked all of poczta.onet.pl here due to advance fee fraud spam email.
- 220.127.116.11 is in SPEWS as part of a Rostelecom listing.
Connection time rejection stats:
37733 total 17223 bad or no reverse DNS 15812 dynamic IP 2497 class bl-cbl 560 class bl-njabl 493 class bl-dsbl 235 class bl-sdul 146 class bl-spews 79 class bl-ordb 72 class bl-sbl
Fourteen out of the top 30 most rejected IP addresses were rejected
more than 100 times; the champion is of course 18.104.22.168 (622 times
before it wound up back in the kernel IP filters), with 22.214.171.124
next (265 times, for not having any reverse DNS and being in a pile of
DNSBls). 19 of the top 30 are currently in the
CBS, and seven are currently in
Hotmail has probably improved compared to last week; the numbers are:
- 2 messages accepted.
- 3 messages rejected because they came from non-Hotmail email addresses.
- 5 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address being in the CBL.
This is less overall spam than last week, but a more diverse set of reasons for it being rejected.
And the last set of numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Unlike last week, there's nothing from btconnect.com; either they've stopped mailing us for now or they've fixed the problem (I know which option I'm betting on).
The most frequent target of bad bounces was the 38-digit hex string from
before, at 5 bounces (all from Demon Internet
machines). Apart from that it was almost all to usernames here that used
to exist, apart from one to
costauvqaagmlp and one to