Weekly spam summary on October 29th, 2005
This week we received 12,079 email messages from 226 different IP addresses. Our SMTP server handled 44,167 sessions from 4,794 different IP addresses. Session volume is up a bit compared to last week, but well within what I now consider normal fluctuations.
Because we rebooted this machine Monday evening, we're about 36 hours short on kernel-level and total connection volume stats (and I'm not going to bother with per-day breakdowns). We had 190,650 connections since Monday evening, from at least 30,420 different IP addresses; from Sunday to just before the reboot, we had 30,190 connections. A straightforward total would make this a fairly ordinary week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 13678 766K 188.8.131.52 11451 535K 184.108.40.206 9863 473K 220.127.116.11/24 9416 478K 18.104.22.168 5457 255K 22.214.171.124/12 4856 263K 126.96.36.199 4443 213K 188.8.131.52 4401 264K 184.108.40.206/24 4327 200K 220.127.116.11 4232 203K
This week, chinanet.cn.net has clawed its way back into the top ten and 18.104.22.168 finishes out its third week in first place, earning 22.214.171.124/28, aka SBL24721, an entry in the permanent blocklist. So much for Surge Media.
- 126.96.36.199 is the only other IP address returning from
last week or indeed any previous week; it's been blocked for
- 188.8.131.52 is on the ORDB.
- 184.108.40.206 is an interbusiness.it 'dialup' address; we don't talk to interbusiness.it anyways, but we especially don't talk to anything that has a generic interbusiness.it hostname.
- everyone else got blocked for repeated bad
Connection-time rejection stats:
26507 total 11429 dynamic IP 7076 bad or no reverse DNS 2179 class bl-cbl 1516 class bl-ordb 1400 class bl-spews 675 class bl-sbl 651 class bl-dsbl 533 Chinese spam involvement 199 class bl-njabl 128 class bl-sdul 14 class bl-opm
Several machines made outstanding contributions to these stats this week. 220.127.116.11, already featured in the kernel level stats, added 405 to the ORDB count, along with 18.104.22.168's 260; 22.214.171.124 gave 444 to the 'bad rDNS' count, with 126.96.36.199 assisting for 207. Several machines in SBL24721 gave the SBL stats a nice assist, as you might guess, but no one really stands out for SPEWS.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
HELOs are up from last week but bounces are
once again down. 188.8.131.52
HELO'd with a bad name 872 times this
week before we blocked it (and then it made the top ten kernel filters
list), but there aren't any other really big contributors.
Since I enjoy depressing myself, here are more Hotmail statistics:
- one actual email accepted all week.
- five Hotmail messages refused due to their originating IP addresses (three listed in the SBL, one from Gilat-Satcom, one from Nigeria).
- 257 messages from Hotmail refused because they came from non-Hotmail email addresses.
Apparently our first set of Hotmail stats from two weeks ago were gathered during a slow week; Hotmail is now running only 0.4% 'email traffic we actually wish to accept'. If that.