Weekly spam summary on December 23rd, 2006
The SMTP frontend died and was restarted at 2:24 am Wednesday morning, so some stats are only from then. That said, this week we:
- got 14,896 messages from 260 different IP addresses.
- handled 22,673 sessions from 1,353 different IP addresses.
- received 147,470 connections from at least 47,766 different IP addresses since Wednesday at 2:24 am.
- hit a highwater of 10 connections being checked at once since Wednesday at 2:24 am.
It looks like we'd received about 65,000 connections as of Tuesday morning, which would make the total volume roughly the same as last week. The per-day information is kind of broken, but since Wednesday morning we seem to have had higher traffic than usual, running between 35,000 and 40,000 connections a day.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206 13437 605K 220.127.116.11 12301 640K 18.104.22.168/24 8888 533K 22.214.171.124 4936 296K 126.96.36.199 4783 287K 188.8.131.52 3515 164K 184.108.40.206 3478 191K 220.127.116.11 3241 165K 18.104.22.168 3045 183K 22.214.171.124 2939 149K
This is a change from last week, with totallyfreeld.net dropping out completely and a welcome drop in overall volume.
- 126.96.36.199 and 188.8.131.52 had too many bad
- 184.108.40.206, 220.127.116.11, and 18.104.22.168 return from last week.
- 22.214.171.124 is in the NJABL.
- 126.96.36.199 is a fr.clara.net machine that kept on trying to send us stuff that had already tripped spamtraps.
- 188.8.131.52 and 184.108.40.206 are dynamic IP 'dialup' machines.
Connection time rejection stats:
52591 total 31494 dynamic IP 16375 bad or no reverse DNS 3541 class bl-cbl 312 class bl-sdul 222 class bl-dsbl 77 class bl-njabl 44 class bl-sbl 24 class bl-spews 15 cuttingedgemedia.com 8 class bl-ordb
This is, alas, the last week that the ORDB will appear in the stats, as the ORDB shut down December 18th (as reported on Slashdot, among other places; I am not linking to their website, because they're going to turn that off soon).
Only one out of the top 30 most rejected IP addresses was rejected
100 times or more this week: 220.127.116.11 (102 times, in the CBL).
16 of the top 30 are currently in the CBL and 7 are currently in
Almost half of the SBL rejections this week came from one IP, 18.104.22.168 aka SBL49074, apparently a hijacked spam sending machine. The next two, rejected five times each, are 22.214.171.124 (SBL49046) and 126.96.36.199 (SBL49248). In a sign that the universe is returning to the proper order of things, both are listed for being advance fee fraud spam sources.
This week, Hotmail had:
- 1 message accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 28 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (2 for being in the CBL, one for being in SBL20211 and SBL46450).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
By far the champion source of bad
HELOs is 188.8.131.52 (335
rejections), followed by 184.108.40.206 (98 rejections). The leading
general area for bad bounces seems to have switched to Italian ISPs this
week. The random alphabetical names are the leading bad bounce targets,
but no one of them particularly stands out.