Spam summary for July 23rd 2005

July 24, 2005

It looks like the hope from last week that spammers had stopped forging University of Toronto subdomains as the origin of their spam was in fact just a hope. 'Nonexistent local user' rejections are back up like clockwork. Oh well; it would have been nice.

IP level rejections:

Host/Mask           Packets   Bytes
212.216.176.0/24       6663    339K
213.4.149.11           6659    303K
151.189.20.157         3918    188K
83.103.57.17           3190    162K
61.128.0.0/10          2648    132K
193.111.201.127        2490    127K
221.216.0.0/13         2252    109K
194.30.33.37           2185    111K
219.128.0.0/12         2165    106K
216.7.201.43           2014   96672
194.250.136.10         1877   90096
68.63.102.114          1853   88944
66.235.196.26          1750    105K
220.245.160.88         1686   80768
218.0.0.0/11           1529   75816
217.52.32.185          1502   72096
65.214.61.100          1455   69840
193.41.153.65          1422   68256
216.109.197.126        1320   65136
220.160.0.0/11         1294   63600

Finally, 24.156.64.52 has dropped entirely out of the list. A number of other apparent dynamic/DHCP/cable modem sources are on it, though; I'm not surprised. Zombie spam is the big problem of these days.

Connection-time rejections:

  24003 total
   8375 rejected due to bad/missing reverse DNS information
   1236 class bl-cbl
    698 class bl-ordb
    509 class bl-dsbl
    335 class bl-spews
    330 class bl-sbl
    162 class bl-sdul
    158 class bl-njabl
     10 class bl-opm

Surprisingly, rejections have plummeted overall, although they're broadly like last week's. We had about 186,000 SMTP connections from at least 35,000 different IP addresses, which is somewhat up on our usual connections volume (I usually expect about 120,000 over the course of a week).

We rejected 9,200 IP addresses at connect time, let 1,330 machines get as far as the SMTP banner, and actually accepted email from only 197 different IP addresses. This is about the depressing ratio mismatch I expected from previous weeks.

At this point I'm running out of interesting statistics to take more looks at, so I'll probably flip away from weekly spam stats posts in favour of just generating the data and archiving it for long-term local analysis. (I suppose I could do a breakdown of connection time rejections by source ASN. (But if I do that, I should probably explain 'ASN' first.))

Written on 24 July 2005.
« The necessary evolution of mail servers
Reliably archiving things »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Jul 24 01:17:02 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.