Weekly spam summary on September 30th, 2006
This week, we:
- got 15,751 messages from 307 different IP addresses.
- handled 19,911 sessions from 1,047 different IP addresses.
- received 154,477 connections from at least 38,870 different IP addresses.
- hit a highwater of 9 connections being checked at once.
This is all about the same level as last week, or at most down a little bit. Oddly, we show a bit of a volume jump towards the end of the week:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206 56881 2958K 220.127.116.11 6818 347K 18.104.22.168 4744 285K 22.214.171.124 3380 203K 126.96.36.199 3189 153K 188.8.131.52 3188 153K 184.108.40.206 3132 188K 220.127.116.11 2988 143K 18.104.22.168/11 2897 141K 22.214.171.124 2742 165K
Apart from first place, this is about the same sort of volume as last week.
- 126.96.36.199 continues its stranglehold on first place from last week.
- 188.8.131.52, 184.108.40.206, and 220.127.116.11 also return from last week.
- 18.104.22.168 did the now-usual thing of trying to keep sending us stuff that had already hit our spamtraps.
- 22.214.171.124 reappears from August,
still with a bad
- 126.96.36.199 is an NTL cablemodem.
- 188.8.131.52 is a 'Wanadoo Jordan' IP address with no reverse DNS (and also is in relays.ordb.org).
- 184.108.40.206 is a poczta.onet.pl machine, and we don't talk to them.
Connection time rejection stats:
34465 total 17779 dynamic IP 13422 bad or no reverse DNS 1868 class bl-cbl 403 class bl-dsbl 215 class bl-sdul 153 class bl-njabl 130 class bl-spews 45 class bl-ordb 23 cuttingedgemedia.com 16 class bl-sbl
Twelve out of the top 30 most rejected IP addresses were rejected 100
times or more, with the champion being 220.127.116.11 (196 times, for
being a Verizon dynamic IP). 18 of the top 30 are currently in the CBL,
and 9 are currently in
bl.spamcop.net; this week, none are in the SBL.
This week's Hotmail stats are reasonably good:
- 9 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 28 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address.
Seven of the accepted messages were legitimate, but the remaining two were advance fee fraud spam (sent from 18.104.22.168, a Malaysian IP address that's probably a tm.net.my ADSL line).
(The high number of actual messages is due to the usual cause: a student-facing system had a glitch and students promptly mailed in to tell people about it.)
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I'm not really happy to see these numbers climbing, but at least they're not really bad; it's still in at the drip drip level, instead of a flood. There are no particularly big spike sources of either, although the largest single source of bounces appears to have been a spammer trying a new trick to get their messages through.
The bounces were all over, including bounces to
last week, but the majority were to made-up usernames of the form
<first>_<last>, where the first and last names looked like randomly
chosen female-sounding Russian names; a representative example