Weekly spam summary on June 3rd, 2006
This week, we:
- got 11,560 messages from 225 different IP addresses.
- handled 16,969 sessions from 1005 different IP addresses.
- received 135,139 connections from at least 46,180 different IP addresses.
- hit a highwater of 12 connections being checked at once.
Apart from slightly higher numbers of IP addresses talking to us this week, this is a clone of last week's numbers. Since the per day volume fluctuated, I'll include the table this week:
This isn't a major fluctuation as those go; clearly things are a bit random. (Perhaps one day I will add deliveries by day to this table, although it's harder to construct.)
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168 17288 879K 22.214.171.124 7490 360K 126.96.36.199 5555 283K 188.8.131.52/24 5080 305K 184.108.40.206/10 4282 214K 220.127.116.11/11 4014 200K 18.104.22.168/24 3588 183K 22.214.171.124/11 3413 171K 126.96.36.199 2800 134K 188.8.131.52 2629 123K
Overall this seems quieter than last week, although there's one obvious huge exception.
- 184.108.40.206 is a QWEST IP address that kept
HELO'ing as 'yinyang', with no domain name or anything. Declined.
- 220.127.116.11 and 18.104.22.168 return from last week, evidently still not done yet.
- 22.214.171.124 and 126.96.36.199 are CBL-listed and gave us bad
HELOnames on top of it.
188.8.131.52/24 is an outdated and now erroneous listing I just noticed now. Whoops. (See, there's more than one reason for me to do these summaries. Finding such outdated listings is one of those generic problems, partly because I never built an infrastructure to manage it all when I set these things up.)
Connection time rejection stats:
44525 total 21085 bad or no reverse DNS 19378 dynamic IP 2400 class bl-cbl 322 class bl-sdul 233 class bl-dsbl 153 class bl-spews 142 class bl-sbl 131 class bl-njabl 68 class bl-ordb
Rejections are up on last week, and more than I'd expect from
the slight overall traffic growth. 24 of the top 30 most rejected
IP addresses had more than 100 rejections, with the champion being
184.108.40.206 (382 times); our friend 220.127.116.11 is the runner up
with 379 rejections. 24 of the top 30 are currently in the CBL and 10
are currently in
Hotmail stats are low but not groovy:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 10 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- 1 message refused due to its origin IP address being part of Gilat-Satcom.
Meanwhile Yahoo continues to slap us with the spam trout, although I have yet to write a script to generate numbers for how badly.
The last set of numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Once again there were several bounces to our friend the 38-digit
hex string, plus to a number of real (ex) usernames, plus random
ones. The new pattern this week is bounces to all-digit usernames
of various lengths, ranging from