2006-12-23
Weekly spam summary on December 23rd, 2006
The SMTP frontend died and was restarted at 2:24 am Wednesday morning, so some stats are only from then. That said, this week we:
- got 14,896 messages from 260 different IP addresses.
- handled 22,673 sessions from 1,353 different IP addresses.
- received 147,470 connections from at least 47,766 different IP addresses since Wednesday at 2:24 am.
- hit a highwater of 10 connections being checked at once since Wednesday at 2:24 am.
It looks like we'd received about 65,000 connections as of Tuesday morning, which would make the total volume roughly the same as last week. The per-day information is kind of broken, but since Wednesday morning we seem to have had higher traffic than usual, running between 35,000 and 40,000 connections a day.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 62.94.0.34 13437 605K 213.4.149.12 12301 640K 213.29.7.0/24 8888 533K 193.252.22.158 4936 296K 217.20.114.13 4783 287K 216.48.45.2 3515 164K 212.43.241.13 3478 191K 60.231.152.85 3241 165K 83.17.193.138 3045 183K 62.66.138.173 2939 149K
This is a change from last week, with totallyfreeld.net dropping out completely and a welcome drop in overall volume.
- 62.94.0.34 and 216.48.45.2 had too many bad
HELO
s. - 213.4.149.12, 193.252.22.158, and 60.231.152.85 return from last week.
- 217.20.114.13 is in the NJABL.
- 212.43.241.13 is a fr.clara.net machine that kept on trying to send us stuff that had already tripped spamtraps.
- 83.17.193.138 and 62.66.138.173 are dynamic IP 'dialup' machines.
Connection time rejection stats:
52591 total 31494 dynamic IP 16375 bad or no reverse DNS 3541 class bl-cbl 312 class bl-sdul 222 class bl-dsbl 77 class bl-njabl 44 class bl-sbl 24 class bl-spews 15 cuttingedgemedia.com 8 class bl-ordb
This is, alas, the last week that the ORDB will appear in the stats, as the ORDB shut down December 18th (as reported on Slashdot, among other places; I am not linking to their website, because they're going to turn that off soon).
Only one out of the top 30 most rejected IP addresses was rejected
100 times or more this week: 63.138.101.141 (102 times, in the CBL).
16 of the top 30 are currently in the CBL and 7 are currently in
bl.spamcop.net
.
Almost half of the SBL rejections this week came from one IP, 202.175.95.171 aka SBL49074, apparently a hijacked spam sending machine. The next two, rejected five times each, are 66.158.163.165 (SBL49046) and 221.133.1.17 (SBL49248). In a sign that the universe is returning to the proper order of things, both are listed for being advance fee fraud spam sources.
This week, Hotmail had:
- 1 message accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 28 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (2 for being in the CBL, one for being in SBL20211 and SBL46450).
And the final numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
1147 | 104 | 1017 | 109 |
Bad bounces | 117 | 98 | 80 | 64 |
By far the champion source of bad HELO
s is 195.97.221.30 (335
rejections), followed by 12.162.97.71 (98 rejections). The leading
general area for bad bounces seems to have switched to Italian ISPs this
week. The random alphabetical names are the leading bad bounce targets,
but no one of them particularly stands out.