Weekly spam summary on December 2nd, 2006
Our SMTP frontend crashed and restarted today at 2:51pm, which means that some stats are a little bit distorted. This week, we:
- got 15,320 messages from 276 different IP addresses.
- handled 21,412 sessions from 1,467 different IP addresses.
- received 217,984 connections from at least 66,248 different IP addresses up until this morning at 4am, and 11,150 connections from at least 4,184 different IP addresses since 2:51pm.
- hit a highwater of 50 connections being checked at once by 4am this morning (and a less impressive highwater of 9 since 2:51pm).
Connection count is up from last week, although nothing else really is. Removing today from the per-day table, we have:
This is more see-sawing than we usually see, especially on Sunday. The highwater of 50 simultaneous connections was set on Thursday, which isn't too surprising.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52/27 38955 2337K 184.108.40.206/24 29146 1749K 220.127.116.11 13032 625K 18.104.22.168 5965 358K 22.214.171.124 5039 269K 126.96.36.199/24 3996 199K 188.8.131.52 3975 239K 184.108.40.206 3896 234K 220.127.116.11 3454 166K 18.104.22.168 3369 162K
- 22.214.171.124/27 is SBL48200, returning from last week and now earning a place in our permanent blocks.
- 126.96.36.199/24 is centrum.cz, also returning and also earning a permanent block.
- 188.8.131.52 also returns from last week, still a PacBell DSL line. Evidently it really, really wants to talk to us.
- 184.108.40.206 and 220.127.116.11 are both generic 'dynamic' IPs, from easnet.fr and telecomitalia.it respectively.
- 18.104.22.168 aka by.ru spent too much trying to send us spam that had already hit our spamtraps.
- 22.214.171.124 kept trying a bad
- 126.96.36.199 is in the CBL. I note with interest that despite being called 'mx03.simon-mx.com', the netblock it is in allegedly belongs to 'IMARKETING CONSULTANTS' (under PaeTec), allegedly located in Florida.
Connection time rejection stats:
70836 total 45848 dynamic IP 17887 bad or no reverse DNS 5198 class bl-cbl 645 class bl-sdul 250 class bl-dsbl 90 class bl-sbl 61 class bl-njabl 58 class bl-spews 22 class bl-ordb
As I sometime like to say, yow! This may be the highest rejection count we've ever had, and it certainly seems like a significant spam storm hit us this week. The most active sources of dynamic IPs are:
3064 rr.com 2336 proxad.net 1817 retail.telecomitalia.it 1623 comcast.net 1553 ono.com 1423 dynamicip.rima-tde.net 1383 user.auna.net 1312 verizon 1209 wanadoo.fr 1118 charter.com
Only two of the top 30 most rejected IP addresses were rejected 100
times or more: 188.8.131.52 (135 times, rejected for being a LACNIC
IP address with no reverse DNS) and our friend 184.108.40.206 (130
times). 21 of the top 30 are currently in the CBL and 9 are currently in
This week, Hotmail managed:
- 1 message accepted.
- 1 message rejected because it came from a non-Hotmail email address (in this case an address at 'alliedpersonelsvcinc.co.uk').
- 28 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 1 messages refused due to its origin IP address being in the Cote d'Ivoire.
This is better than last week, but that's still not saying very much.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The clear winner in the bad
HELO sweepstakes is 220.127.116.11,
with 136 attempts before it got blocked. No one won the bad bounces
sweepstakes; as you can guess from the numbers, only a very few places
even sent us more than one.
This week the first_last login name pattern bounces went away almost completely. What's left is primarily plausible usernames (generally not ones that were ever valid here), leavened with a few alphanumeric jumbles.