Weekly spam summary on October 15th, 2005
This week we received 12,137 email messages from 240 different IP addresses. Our SMTP server handled 51,672 sessions from 4,977 different IP addresses. Session volume is down from last week, but not by what I'd consider a lot.
Overall connections are down to roughly the numbers we last saw four weeks ago: 222,800 connections from at least 38,400 different IP addresses. We did hit a highwater of 50 connections in flight at once, though. This week I have per-day statistics:
Both Sunday and Saturday are partial figures, which makes the Sunday numbers particularly startling. The maximum connections in flight highwater started the week at 22, jumped to 35 on Thursday, and hit 50 on Friday.
Kernel level SMTP packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 16559 927K 126.96.36.199/24 10719 568K 188.8.131.52/10 10352 501K 184.108.40.206 10326 495K 220.127.116.11/24 7015 320K 18.104.22.168 6476 290K 22.214.171.124 5863 304K 126.96.36.199 5608 269K 188.8.131.52 5340 320K 184.108.40.206 5298 262K
This week only one Chinese network makes the top ten, and in third place instead of its first-place finish last week. A surprising number of the individual IP addresses are new.
- 220.127.116.11 is in SBL24721. 'Surge Media' is apparently an accurate label.
- 18.104.22.168 (bad
HELO), 22.214.171.124 (terra.es bad reverse DNS), and 126.96.36.199 (bad
HELO) are all repeat visitors to the top 10.
- 188.8.131.52 is a hkcable.com.hk cablemodem customer.
- everyone else was added due to unresolvable
Connection-time rejection stats:
30390 total 16033 dynamic IP 8219 bad or no reverse DNS 2164 class bl-cbl 1911 class bl-spews 389 class bl-dsbl 368 class bl-sbl 249 class bl-sdul 96 class bl-njabl 64 class bl-ordb 6 class bl-opm
The dynamic IP address count jumped significantly in part to a few machines seriously hammering on us before being firewalled away; one wanadoo.fr machine tried 1,269 connections before giving up. A few SPEWS-listed people were pretty persistent too.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
We're still rejecting an annoying amount of backscatter, but we'll probably always be. Two IP addresses, 184.108.40.206 and 220.127.116.11, both did quite a lot of backscattering this week; no one else stands out compared to last week.
(Someday I will do a report on backscatter and bad
HELOs by ASN.)