2006-07-23
Weekly spam summary on July 22nd, 2006
We rebooted this server Monday around 6:50pm, so a number of the stats are truncated this week. Having said that, this week, we:
- got 11,369 messages from 257 different IP addresses.
- handled 15,931 sessions from 851 different IP addresses.
- received 87,698 connections from at least 31,657 different IP addresses since Monday evening.
- hit a highwater of 6 connections being checked at once since Monday evening.
It appears as if this week's connection volume is down significantly from last week. I have no particularly good explanation why, but I like it.
Kernel level packet filtering top ten since Monday evening:
Host/Mask Packets Bytes 213.4.149.12 9132 475K 81.88.225.210 7796 428K 218.0.0.0/11 6990 340K 212.216.176.0/24 4960 248K 210.54.141.0/24 4303 207K 61.128.0.0/10 3196 168K 129.206.210.211 2969 129K 72.244.103.210 2488 116K 128.121.94.189 2318 114K 204.181.35.187 2145 109K
- 213.4.149.12 returns from last week.
- 81.88.225.210 is mailupnet.it aka mailup.info aka people we have no interest in ever accepting email from again.
- 129.206.210.211 and 128.121.94.189 both hit our spamtraps and kept on sending, likely with phish spam in both cases.
- 72.244.103.210 is something we consider a covad.net 'dialup' machine.
- 204.181.35.187 is on the NJABL.
Connection time rejection stats, from Monday evening:
27275 total 11820 dynamic IP 11820 bad or no reverse DNS 1696 class bl-cbl 591 mailup.info 243 class bl-njabl 207 dartmail.net 118 class bl-sdul 108 class bl-dsbl 92 class bl-sbl 58 class bl-spews 42 class bl-ordb
Five of the top 30 most rejected IP addresses were rejected more than
100 times; the winner is 81.88.225.210, rejected 591 times. 13 of the
top 30 are currently in the CBL, six are currently in bl.spamcop.net
,
and one, 213.154.94.190, is in the SBL as part of SBL21129. It's an advance
fee fraud spam source, of course.
Hotmail is backsliding. This week, it had:
- no messages accepted.
- 2 messages rejected because they came from non-Hotmail email addresses.
- 14 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address being in the SBL. All three came from 66.178.40.27, in SBL27471, which has been listed since February 7th. Worse, the SBL page shows evidence of spam through Hotmail as far back as September 10th 2005.
I especially displeased by the 'rejected for being in the SBL' messages.
And the final numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
307 | 45 | 1422 | 70 |
Bad bounces | 38 | 34 | 127 | 108 |
I'm pleased to see this drop; evidently last week was just exceptional.
For the first time in a while, none of the various 38-character hex strings got any bounces. Instead, everything went to all of the other usual suspects.
(I am short on sleep, so this summary is more uninspired than usual.)