Wandering Thoughts archives


Weekly spam summary on January 13th, 2007

This week, we:

  • got 14,362 messages from 263 different IP addresses.
  • handled 18,805 sessions from 1,257 different IP addresses.
  • received 232,353 connections from at least 81,631 different IP addresses.
  • hit a highwater of 26 connections being checked at once.

Weekly email volume has returned to normal, which is not surprising (the university is back in full session). Total volume is up a bit from last week, especially the number of different IP addresses talking to us.

Day Connections different IPs
Sunday 32,355 +13,346
Monday 35,036 +12,551
Tuesday 31,295 +11,603
Wednesday 36,412 +11,841
Thursday 36,387 +12,355
Friday 32,702 +10,873
Saturday 28,166 +9,062

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          18869    981K         18426   1105K       13778    621K            6860    321K          5001    254K          4062    195K         3999    240K             3811    183K           3184    153K          2339    116K
  •,, and return from last week's list.
  • is a bigpond.net.au cablemodem and last appeared in December.
  • didn't make the kernel filtering top ten last week but got mentioned for other reasons and has made the weekly summaries before in general.
  • is an ntl.com broadband customer, which we consider a dynamic/dialup IP address.
  • is in the SORBS DUL.

Overall volume is once again up a bit from last week.

Connection time rejection stats:

  59047 total
  37554 dynamic IP
  14709 bad or no reverse DNS
   4911 class bl-cbl
    371 class bl-sdul
    270 class bl-dsbl
    152 'fairgamemail.us'
    134 class bl-njabl
     97 cuttingedgemedia.com
     59 class bl-spews
     31 class bl-sbl

This is likely the last week SPEWS will appear in these reports. Sparked by reports in news.admin.net-abuse.email that the SPEWS database hasn't been updated for the past few months, and the generally low hit rate recently, I am pulling them from our configuration to avoid potential future explosions.

Only one IP address out of the top 30 most rejected IP addresses was rejected 100 times or more; (698 times), which also made the top 10 kernel rejected IPs. 15 out of the top 30 are currently in the CBL and 6 are currently in bl.spamcop.net.

This week Hotmail brought us:

  • no messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 30 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (four from the Cote d'Ivoire, one in SBL22599).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 566 98 332 130
Bad bounces 151 126 16 11

Oh well, so much for the peace of last week. There is no single big contributor to either, although the major source of bad bounces seems to be German sites. The largest target of bad bounces was to 'noreply', but after that almost everything was to alphabetic jumble usernames, with only a few plausible ex-users mixed in.

spam/SpamSummary-2007-01-13 written at 23:48:24; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.