Weekly spam summary on September 24th, 2005

September 25, 2005

As time goes by, more and more of these weekly spam summaries are getting automated. Which just goes to show that sooner or later, I can learn from experience and do things right.

This week we received 11,900 email messages from 245 different IP addresses, and our SMTP server handled 63,600 sessions from 7,400 different IP addresses. Email volume is a tiny bit down from last week, but session volume is up; we're probably getting hammered more than usual by spam bounce backscatter.

Our SMTP connection count and kernel level block statistics are missing about 36 hours this week because we rebooted the server Monday night; both stats reset each reboot (normally once a week, early Sunday morning). Having said that, they're still pretty strikingly up.

Overall connections since Monday the 19th at 5:30pm Eastern or so: 234,000, from at least 30,000 different IP addresses. Much of these came early in the week; at 3:40 pm on the 21st, we had already seen 111,200 connections from at least 13,900 different IP addresses and had reached the week's highwater mark of 17 simultaneous connections.

Kernel level SMTP blocks:

Host/Mask           Packets   Bytes
202.96.0.0/12         17429   1011K
218.102.53.0/24       11495    531K
195.188.82.90         11375    532K
213.4.149.11          10345    461K
213.4.129.132          9591    412K
212.216.176.0/24       9050    444K
71.133.232.113         8809    503K
209.34.82.59           7034    338K
66.179.44.52           5807    279K
67.151.195.195         5452    255K

Vaulting into first place is a longterm block of a large portion of Chinanet address space. Second place goes to Netvigator, bringing the Far East's contribution up this week. Of the rest, only 213.4.149.11 (mx.terra.es, frequently on this list) and 213.4.129.132 (another terra.es machine, first seen last week) are repeat visitors.

213.4.129.132 is yet another terra.es machine, rejected for not having good reverse DNS. All the other ones banged on our doors too often with unresolvable HELO greetings.

Connection-time rejection stats:

  25692 total
  12178 dynamic IP
   6811 bad or no reverse DNS
   1973 class bl-spews
   1323 class bl-dsbl
   1272 class bl-cbl
    458 class bl-ordb
    416 class bl-sbl
    105 class bl-njabl
     84 class bl-sdul
     10 class bl-opm

There are no particularly prominent single sources of connection time rejections this week, certainly not for the DNS blocklists; their larger numbers this week seem to be natural fluctuation.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 23703 1665 27038 1188
Bad bounces 9205 4381 6774 3209

This makes it pretty probably that our increased volume this week was spam bounce backscatter.

Written on 25 September 2005.
« A spammer roundup
A peril of having a highly dynamic web site »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Sep 25 02:04:51 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.