Wandering Thoughts archives


Weekly spam summary on June 3rd, 2006

This week, we:

  • got 11,560 messages from 225 different IP addresses.
  • handled 16,969 sessions from 1005 different IP addresses.
  • received 135,139 connections from at least 46,180 different IP addresses.
  • hit a highwater of 12 connections being checked at once.

Apart from slightly higher numbers of IP addresses talking to us this week, this is a clone of last week's numbers. Since the per day volume fluctuated, I'll include the table this week:

Day Connections different IPs
Sunday 14,968 +6,360
Monday 22,460 +6,890
Tuesday 20,133 +6,642
Wednesday 21,142 +7,553
Thursday 17,879 +5,624
Friday 20,882 +7,370
Saturday 17,675 +5,741

This isn't a major fluctuation as those go; clearly things are a bit random. (Perhaps one day I will add deliveries by day to this table, although it's harder to construct.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes         17288    879K          7490    360K          5555    283K       5080    305K          4282    214K           4014    200K       3588    183K         3413    171K         2800    134K          2629    123K

Overall this seems quieter than last week, although there's one obvious huge exception.

  • is a QWEST IP address that kept HELO'ing as 'yinyang', with no domain name or anything. Declined.
  • and return from last week, evidently still not done yet.
  • and are CBL-listed and gave us bad HELO names on top of it. is an outdated and now erroneous listing I just noticed now. Whoops. (See, there's more than one reason for me to do these summaries. Finding such outdated listings is one of those generic problems, partly because I never built an infrastructure to manage it all when I set these things up.)

Connection time rejection stats:

  44525 total
  21085 bad or no reverse DNS
  19378 dynamic IP
   2400 class bl-cbl
    322 class bl-sdul
    233 class bl-dsbl
    153 class bl-spews
    142 class bl-sbl
    131 class bl-njabl
     68 class bl-ordb

Rejections are up on last week, and more than I'd expect from the slight overall traffic growth. 24 of the top 30 most rejected IP addresses had more than 100 rejections, with the champion being (382 times); our friend is the runner up with 379 rejections. 24 of the top 30 are currently in the CBL and 10 are currently in bl.spamcop.net.

Hotmail stats are low but not groovy:

  • no messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 10 messages sent to our spamtraps.
  • 1 message refused because its sender address had already hit our spamtraps.
  • 1 message refused due to its origin IP address being part of Gilat-Satcom.

Meanwhile Yahoo continues to slap us with the spam trout, although I have yet to write a script to generate numbers for how badly.

The last set of numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 288 69 462 64
Bad bounces 27 23 18 16

Once again there were several bounces to our friend the 38-digit hex string, plus to a number of real (ex) usernames, plus random ones. The new pattern this week is bounces to all-digit usernames of various lengths, ranging from 03 to 41291175.

spam/SpamSummary-2006-06-03 written at 02:14:26; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.