Weekly spam summary on October 8th, 2005

October 9, 2005

This week we received 12,111 email messages from 242 different IP addresses. Our SMTP server handled 61,080 sessions from 6,951 different IP addresses. Both email volume and session volume is up from last week, despite us being cut off from Level 3 customers for part of the week. (The University of Toronto gets core connectivity from Cogent, and you may have heard about the spat Cogent and Level 3 had between Wednesday and Friday.)

Overall connections are up again from last week: 299,200 connections from at least 41,000 different IP addresses. Our SMTP frontend once again hit a highwater of 50 maximum connections in flight. (I really need to be able to do a day by day breakdown of these numbers, to see when the connection rates jump.)

Looking back to the first of these reports in SpamStats-2005-06-25 it's tempting to draw some overall conclusions. Unfortunately it would be misleading, since our connection-time checking process is different now than it was back then. The growth in connection rates and the changes in other statistics may be in large part because we are now more aggressive about telling people to come back later.

(At the same time I think it's clear on a week to week basis that we have seen significant jumps in the volume of bad stuff.)

Kernel level SMTP blocks:

Host/Mask           Packets   Bytes         17702    858K          13785    662K         10500    517K       9717    506K        8949    413K           8804    403K          7366    354K         7340    352K         6826    331K            6257    300K

China comes in like gangbusters for once, specifically chinanet.cn.net (all three of the large netblocks in the top ten are theirs). I believe this may be a record placement of large netblocks in the top ten listing. tin.it and Netvigator continue their strong showings.

  •, a terra.es machine listed for bad reverse DNS data, has made the top 10 before (in SpamSummary-2005-09-17).
  •, smtp.capinc.com, is SPEWS-listed as part of Comcast/ATTBI.
  •, in QWEST space, was rejected because of bad reverse DNS; QWEST has hosted enough spammers that we now require anyone from their network space to have valid reverse DNS before we'll talk to them.
  • and finally, and did the usual thing of pumping out unresolvable HELO greetings.

This is clearly an atypical week; most weeks, the leading cause of getting into our kernel-level filters is unresolvable HELO greetings.

Connection-time rejection stats:

  25755 total
  12244 dynamic IP
   6513 bad or no reverse DNS
   1852 class bl-cbl
   1434 class bl-spews
   1044 class bl-dsbl
    556 class bl-sbl
    549 bad Chinese networks
    494 class bl-ordb
    285 class bl-sdul
    133 class bl-njabl
      8 class bl-opm

The stats are broadly the same as last week. Apart from, almost singlehandedly responsible for the sudden appearance of 'bad Chinese networks' in the list of noteworthy things, no single source stands out.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 30842 1438 20892 1155
Bad bounces 8181 4121 7235 3322

Since both of these numbers are up from last week, it's probably spammers forging us (yet again) as the MAIL FROM in their spam runs.

(Technical issues make the 'last week' numbers from this table not quite match up with the 'this week' numbers in the same report last week. I'm switching some manual procedures around so that the numbers should match up better in the future; the divergence has to do with when logfiles are rolled over and how that interacts with the weekly reboot.)

Written on 09 October 2005.
« Exploring some spamblogs
Troubleshooting versus support »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Oct 9 02:02:12 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.