Weekly spam summary on October 22nd, 2005

October 23, 2005

This week we received 11,880 email messages from 233 different IP addresses. Our SMTP server handled 36,465 sessions from 4,042 different IP addresses, down markedly from last week.

Overall connections are down slightly from last week: 210,400 connections from at least 38,800 different IP addresses. This week, we only hit a highwater of 22 connections being processed simultaneously. Per day statistics:

Day Connections different IPs
Sunday 42,200 8,830
Monday 35,800 +5,110
Tuesday 18,630 +4,900
Wednesday 41,900 +5,330
Thursday 23,240 +5,500
Friday 28,820 +5,250
Saturday 19,790 +3,930

The Sunday surge is expected; we reboot with much of the kernel level IP filters cleared, and active IPs to block hit us and get added back in later on in the day. Simultaneous connections being processed hit 13 on Sunday then 22 on Thursday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
66.154.124.9          21081   1180K
212.216.176.0/24      11764    599K
66.92.140.53           9605    461K
216.213.82.100         6461    329K
67.123.2.225           6442    301K
80.250.6.1             5568    267K
66.179.44.52           5414    260K
218.102.53.0/24        5238    242K
62.101.217.247         4650    223K
65.86.183.103          4523    211K

No large netblocks made the list at all, but 66.154.124.9, 'Surge Media' in SBL24721 is really living up to its name (and reappears from last week). Also putting in return appearances are 66.92.140.53 and 66.179.44.52, both getting kernel level blocks due to repeated bad HELO names.

It's been a good (or bad) week for DNS blocklists; 216.213.82.100 is DSBL-listed, 80.250.6.1 is CBL-listed, and 62.101.217.247 is on the ORDB. The remaining four IP addresses got blocked for repeated bad HELO names.

Connection-time rejection stats:

  23648 total
  10554 dynamic IP
   7333 bad or no reverse DNS
   2369 class bl-cbl
    832 class bl-spews
    533 class bl-dsbl
    367 class bl-sbl
    336 class bl-ordb
    211 class bl-njabl
    169 class bl-sdul
      5 class bl-opm

Unlike last week, there is no single really active sources.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 13278 731 27390 1136
Bad bounces 4038 2261 5320 2739

Spammers are probably forging us less, although they continue to forge us. They will probably continue to forge us until the Internet melts down in a combination of depeerings, bankruptcies, and disagreements over which organization and country should run the whole thing.

Written on 23 October 2005.
« A gotcha with Python and Unix signals
One reason why I like Unix »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Oct 23 01:51:47 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.