Weekly spam summary on February 3rd, 2007
This week, we:
- got 15,790 messages from 280 different IP addresses.
- handled 23,657 sessions from 1,340 different IP addresses.
- received 248,408 connections from at least 73,118 different IP addresses.
- hit a highwater of 17 connections being checked at once.
Volume is up again from last week, although the number of different IPs is down slightly.
This is somewhat more even than last week, but that's about all I can say for it.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11/24 18193 820K 18.104.22.168 17817 926K 22.214.171.124/24 17387 1043K 126.96.36.199 14077 653K 188.8.131.52 10431 501K 184.108.40.206 7058 423K 220.127.116.11 6715 322K 18.104.22.168 6082 292K 22.214.171.124 5391 259K 126.96.36.199 4741 222K
Things are definitely up compared to last week.
- 188.8.131.52 and 184.108.40.206 return from last week.
- 220.127.116.11 kept attempting to send us stuff that had already tripped spamtraps.
- 18.104.22.168 returns from early January, still blocked for being a PacBell DSL line.
- 22.214.171.124 is a Sri Lankan IP address with no reverse DNS.
- 126.96.36.199 and 188.8.131.52 both tried too often with bad
- 184.108.40.206 is on the NJABL.
Connection time rejection stats:
64250 total 39581 dynamic IP 17883 bad or no reverse DNS 5133 class bl-cbl 333 class bl-dsbl 166 class bl-njabl 139 class bl-pbl 123 class bl-sbl 116 class bl-sdul 21 verticalresponse.com 13 cuttingedgemedia.com
Four of the the top 30 most rejected IPs were rejected 100 times or
more this week: 220.127.116.11 (349 times), 18.104.22.168 (199 times),
22.214.171.124 (118 times), and 126.96.36.199 (100 times). The first three
were rejected as dynamic IPs, the fourth for having bad reverse DNS. Ten
of the top 30 are currently in the CBL and a whopping 21 are currently
This week's Hotmail scores are:
- 5 messages accepted.
- 1 message rejected because it came from a non-Hotmail email address.
- 36 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 8 messages refused due to their origin IP address (3 in the SBL, 2 from the Cote d'Ivoire, 1 in the CBL, 1 from Nigeria, and one from SAIX).
Somehow, I don't think we're losing anything by not accepting an email message this week from one 'email@example.com'.
The SBL listings are SBL50384, from January 2007, SBL46422, from September 2006, and SBL32972, from November 2005, when it was spamming through Hotmail. I have no words.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Germany and Russia seem to be the leading sources of bad bounces this week, with the usual contributions from various other places. Unlike last week, there's no particularly big single source; like last week, the most common bad usernames continue to be alphabetical jumbles, with a certain amount of more plausible ones mixed in. Bad bounces were sent to 96 different bad usernames this week.