Spam summary for July 23rd 2005

July 24, 2005

It looks like the hope from last week that spammers had stopped forging University of Toronto subdomains as the origin of their spam was in fact just a hope. 'Nonexistent local user' rejections are back up like clockwork. Oh well; it would have been nice.

IP level rejections:

Host/Mask           Packets   Bytes       6663    339K           6659    303K         3918    188K           3190    162K          2648    132K        2490    127K         2252    109K           2185    111K         2165    106K           2014   96672         1877   90096          1853   88944          1750    105K         1686   80768           1529   75816          1502   72096          1455   69840          1422   68256        1320   65136         1294   63600

Finally, has dropped entirely out of the list. A number of other apparent dynamic/DHCP/cable modem sources are on it, though; I'm not surprised. Zombie spam is the big problem of these days.

Connection-time rejections:

  24003 total
   8375 rejected due to bad/missing reverse DNS information
   1236 class bl-cbl
    698 class bl-ordb
    509 class bl-dsbl
    335 class bl-spews
    330 class bl-sbl
    162 class bl-sdul
    158 class bl-njabl
     10 class bl-opm

Surprisingly, rejections have plummeted overall, although they're broadly like last week's. We had about 186,000 SMTP connections from at least 35,000 different IP addresses, which is somewhat up on our usual connections volume (I usually expect about 120,000 over the course of a week).

We rejected 9,200 IP addresses at connect time, let 1,330 machines get as far as the SMTP banner, and actually accepted email from only 197 different IP addresses. This is about the depressing ratio mismatch I expected from previous weeks.

At this point I'm running out of interesting statistics to take more looks at, so I'll probably flip away from weekly spam stats posts in favour of just generating the data and archiving it for long-term local analysis. (I suppose I could do a breakdown of connection time rejections by source ASN. (But if I do that, I should probably explain 'ASN' first.))

Written on 24 July 2005.
« The necessary evolution of mail servers
Reliably archiving things »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jul 24 01:17:02 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.