Weekly spam summary on August 27th, 2005
The overall SMTP connection rate is up from
last week, as we hit 213,000 SMTP
connections from at least 36,000 different IP addresses.
The SMTP frontend hit a new highwater of 22 simultaneous connections
being checked at once. It's possible that a lot of this is from spammers
forging our domains as the MAIL FROM
of their spams.
Top 10 kernel level SMTP rejections:
Host/Mask Packets Bytes 213.4.149.11 16370 736K [dns] 150.101.192.222 12959 660K [trap] 212.216.176.0/24 10593 553K 202.96.0.0/12 6472 311K 161.58.153.168 5752 284K [trap] 206.169.79.2 4621 222K [dyn] 61.128.0.0/10 4219 211K 64.105.41.16 4127 198K [dyn] 201.224.247.45 4049 206K [dns] 192.131.97.33 3706 163K [helo]
Code | Explanation |
[dns] |
Bad or missing reverse DNS |
[dyn] |
Apparent dynamic IP address |
[helo] |
Bad SMTP HELO greeting |
[trap] |
Sent mail to a spamtrap |
Clearly we've had some very persistent callers this week; however, most of the individual machines are new on the list (the only exception is 213.4.149.11, appearing in SpamSummary-2005-07-23).
Connection-time rejection stats:
27462 total 13178 dynamic IP 7721 bad or no reverse DNS 1668 class bl-cbl 1195 class bl-spews 1032 class bl-sbl 880 class bl-dsbl 775 class bl-ordb 189 class bl-sdul 83 class bl-njabl 27 class bl-opm
SBL-based rejections are up significantly, and break down like this for the top five:
Rejections | SBL listing |
617 | SBL20671 |
98 | SBL27384 |
62 | SBL20539 |
38 | SBL23039 |
23 | SBL29615 |
SBL20671 is a /19 ROKSO listing for OC3 Networks. SBL27384
is an aruba.it
IP address listed for hosting a 'phish' site that
tried to send us a bunch of email. SBL29615 is 216.250.209.9,
www.portafree.com
, listed as an Advance Fee Fraud source. (There
is a lesson here for people running free email
services, but they clearly keep on not learning.)
SPEWS rejections have no specific bad source, although 65.209.157.32
kept retrying a lot (it looks like it's a Microsoft mailer, and
those tend to do that in my experience). Big SPEWS contributions
came from mail.uk.tiscali.com
and seamail.go.com
, both of
which are widely abused free email services that I am not sorry
to see rejected. wanadoo.co.uk
also got into the act.
(I am seriously considering specific connection-time rejections for all of the widely abused free email providers that I don't want to bother talking to. It would probably make these reports more streamlined and it might get the message through to their operators. Or at least any real users trying to email our users.)
Bad HELOs and SMTP bounces to nonexistent local addresses are up quite a lot over last week. The numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
21143 | 831 | 4888 | 409 |
Bad bounces | 6722 | 3282 | 2099 | 817 |
Much of the increase in the bad HELO
count is due to various people
retrying much more often. The drastic increase in the number of distinct
IP addresses sending us bad bounces suggests that our domains are being
forged more by spammers again.
|
|