Weekly spam summary on October 29th, 2005

October 30, 2005

This week we received 12,079 email messages from 226 different IP addresses. Our SMTP server handled 44,167 sessions from 4,794 different IP addresses. Session volume is up a bit compared to last week, but well within what I now consider normal fluctuations.

Because we rebooted this machine Monday evening, we're about 36 hours short on kernel-level and total connection volume stats (and I'm not going to bother with per-day breakdowns). We had 190,650 connections since Monday evening, from at least 30,420 different IP addresses; from Sunday to just before the reboot, we had 30,190 connections. A straightforward total would make this a fairly ordinary week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          13678    766K          11451    535K          9863    473K       9416    478K           5457    255K          4856    263K          4443    213K         4401    264K        4327    200K           4232    203K

This week, chinanet.cn.net has clawed its way back into the top ten and finishes out its third week in first place, earning, aka SBL24721, an entry in the permanent blocklist. So much for Surge Media.

  • is the only other IP address returning from last week or indeed any previous week; it's been blocked for repeated bad HELO names.
  • is on the ORDB.
  • is an interbusiness.it 'dialup' address; we don't talk to interbusiness.it anyways, but we especially don't talk to anything that has a generic interbusiness.it hostname.
  • everyone else got blocked for repeated bad HELO names.

Connection-time rejection stats:

  26507 total
  11429 dynamic IP
   7076 bad or no reverse DNS
   2179 class bl-cbl
   1516 class bl-ordb
   1400 class bl-spews
    675 class bl-sbl
    651 class bl-dsbl
    533 Chinese spam involvement
    199 class bl-njabl
    128 class bl-sdul
     14 class bl-opm

Several machines made outstanding contributions to these stats this week., already featured in the kernel level stats, added 405 to the ORDB count, along with's 260; gave 444 to the 'bad rDNS' count, with assisting for 207. Several machines in SBL24721 gave the SBL stats a nice assist, as you might guess, but no one really stands out for SPEWS.

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 18117 922 13278 731
Bad bounces 2985 1690 4038 2261

Interestingly, bad HELOs are up from last week but bounces are once again down. HELO'd with a bad name 872 times this week before we blocked it (and then it made the top ten kernel filters list), but there aren't any other really big contributors.

Since I enjoy depressing myself, here are more Hotmail statistics:

  • one actual email accepted all week.
  • five Hotmail messages refused due to their originating IP addresses (three listed in the SBL, one from Gilat-Satcom, one from Nigeria).
  • 257 messages from Hotmail refused because they came from non-Hotmail email addresses.

Apparently our first set of Hotmail stats from two weeks ago were gathered during a slow week; Hotmail is now running only 0.4% 'email traffic we actually wish to accept'. If that.

Written on 30 October 2005.
« Affiliate marketing is undead
A tip: Always include NAT in your Linux kernel configuration »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Oct 30 00:54:43 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.