Weekly spam summary on October 8th, 2005
This week we received 12,111 email messages from 242 different IP addresses. Our SMTP server handled 61,080 sessions from 6,951 different IP addresses. Both email volume and session volume is up from last week, despite us being cut off from Level 3 customers for part of the week. (The University of Toronto gets core connectivity from Cogent, and you may have heard about the spat Cogent and Level 3 had between Wednesday and Friday.)
Overall connections are up again from last week: 299,200 connections from at least 41,000 different IP addresses. Our SMTP frontend once again hit a highwater of 50 maximum connections in flight. (I really need to be able to do a day by day breakdown of these numbers, to see when the connection rates jump.)
Looking back to the first of these reports in SpamStats-2005-06-25 it's tempting to draw some overall conclusions. Unfortunately it would be misleading, since our connection-time checking process is different now than it was back then. The growth in connection rates and the changes in other statistics may be in large part because we are now more aggressive about telling people to come back later.
(At the same time I think it's clear on a week to week basis that we have seen significant jumps in the volume of bad stuff.)
Kernel level SMTP blocks:
Host/Mask Packets Bytes 61.128.0.0/10 17702 858K 66.92.140.53 13785 662K 202.96.0.0/12 10500 517K 212.216.176.0/24 9717 506K 218.102.53.0/24 8949 413K 213.4.149.69 8804 403K 24.173.71.171 7366 354K 24.147.105.129 7340 352K 220.160.0.0/11 6826 331K 65.124.82.6 6257 300K
China comes in like gangbusters for once, specifically chinanet.cn.net (all three of the large netblocks in the top ten are theirs). I believe this may be a record placement of large netblocks in the top ten listing. tin.it and Netvigator continue their strong showings.
- 213.4.149.69, a terra.es machine listed for bad reverse DNS data, has made the top 10 before (in SpamSummary-2005-09-17).
- 24.147.105.129, smtp.capinc.com, is SPEWS-listed as part of Comcast/ATTBI.
- 65.124.82.6, in QWEST space, was rejected because of bad reverse DNS; QWEST has hosted enough spammers that we now require anyone from their network space to have valid reverse DNS before we'll talk to them.
- and finally, 66.92.140.53 and 24.173.71.171 did the usual thing of
pumping out unresolvable
HELOgreetings.
This is clearly an atypical week; most weeks, the leading cause of
getting into our kernel-level filters is unresolvable HELO
greetings.
Connection-time rejection stats:
25755 total
12244 dynamic IP
6513 bad or no reverse DNS
1852 class bl-cbl
1434 class bl-spews
1044 class bl-dsbl
556 class bl-sbl
549 bad Chinese networks
494 class bl-ordb
285 class bl-sdul
133 class bl-njabl
8 class bl-opm
The stats are broadly the same as last week. Apart from 210.51.25.177, almost singlehandedly responsible for the sudden appearance of 'bad Chinese networks' in the list of noteworthy things, no single source stands out.
Other stats:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
30842 | 1438 | 20892 | 1155 |
| Bad bounces | 8181 | 4121 | 7235 | 3322 |
Since both of these numbers are up from last week, it's probably
spammers forging us (yet again) as the MAIL FROM in their spam runs.
(Technical issues make the 'last week' numbers from this table not quite match up with the 'this week' numbers in the same report last week. I'm switching some manual procedures around so that the numbers should match up better in the future; the divergence has to do with when logfiles are rolled over and how that interacts with the weekly reboot.)
|
|