2007-02-03
Weekly spam summary on February 3rd, 2007
This week, we:
- got 15,790 messages from 280 different IP addresses.
- handled 23,657 sessions from 1,340 different IP addresses.
- received 248,408 connections from at least 73,118 different IP addresses.
- hit a highwater of 17 connections being checked at once.
Volume is up again from last week, although the number of different IPs is down slightly.
| Day | Connections | different IPs |
| Sunday | 28,871 | +11,587 |
| Monday | 30,772 | +10,424 |
| Tuesday | 39,487 | +10,941 |
| Wednesday | 38,430 | +10,523 |
| Thursday | 36,188 | +9,602 |
| Friday | 37,864 | +10,746 |
| Saturday | 36,796 | +9,295 |
This is somewhat more even than last week, but that's about all I can say for it.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 193.70.192.0/24 18193 820K 213.4.149.12 17817 926K 213.29.7.0/24 17387 1043K 193.95.28.40 14077 653K 64.166.14.222 10431 501K 203.143.22.50 7058 423K 24.39.78.164 6715 322K 206.100.222.95 6082 292K 66.15.116.230 5391 259K 66.15.119.165 4741 222K
Things are definitely up compared to last week.
- 213.4.149.12 and 66.15.119.165 return from last week.
- 193.95.28.40 kept attempting to send us stuff that had already tripped spamtraps.
- 64.166.14.222 returns from early January, still blocked for being a PacBell DSL line.
- 203.143.22.50 is a Sri Lankan IP address with no reverse DNS.
- 24.39.78.164 and 206.100.222.95 both tried too often with bad
HELOs. - 66.15.116.230 is on the NJABL.
Connection time rejection stats:
64250 total
39581 dynamic IP
17883 bad or no reverse DNS
5133 class bl-cbl
333 class bl-dsbl
166 class bl-njabl
139 class bl-pbl
123 class bl-sbl
116 class bl-sdul
21 verticalresponse.com
13 cuttingedgemedia.com
Four of the the top 30 most rejected IPs were rejected 100 times or
more this week: 81.51.108.120 (349 times), 64.166.14.222 (199 times),
68.91.134.69 (118 times), and 211.180.132.9 (100 times). The first three
were rejected as dynamic IPs, the fourth for having bad reverse DNS. Ten
of the top 30 are currently in the CBL and a whopping 21 are currently
listed in bl.spamcop.net.
This week's Hotmail scores are:
- 5 messages accepted.
- 1 message rejected because it came from a non-Hotmail email address.
- 36 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 8 messages refused due to their origin IP address (3 in the SBL, 2 from the Cote d'Ivoire, 1 in the CBL, 1 from Nigeria, and one from SAIX).
Somehow, I don't think we're losing anything by not accepting an email message this week from one 'netaleloto_awrd_006@hotmail.it'.
The SBL listings are SBL50384, from January 2007, SBL46422, from September 2006, and SBL32972, from November 2005, when it was spamming through Hotmail. I have no words.
And the final numbers:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
982 | 113 | 1171 | 134 |
| Bad bounces | 105 | 88 | 229 | 130 |
Germany and Russia seem to be the leading sources of bad bounces this week, with the usual contributions from various other places. Unlike last week, there's no particularly big single source; like last week, the most common bad usernames continue to be alphabetical jumbles, with a certain amount of more plausible ones mixed in. Bad bounces were sent to 96 different bad usernames this week.