Weekly spam summary on November 12th, 2005
This week I'm leading with Hotmail's numbers, because they continue to be a depressing testament to Hotmail's spam problem. This week's Hotmail statistics are:
- one email accepted, probably advance fee fraud spam from the Hotmail user name.
- 14 Hotmail messages refused due to their originating IP addresses (4 in the SBL, 4 in the XBL, three from Nigeria, two from SAIX, and one from the Cote d'Ivoire).
- 31 Hotmail messages refused because their sender addresses had already hit our spamtraps.
- 251 messages from Hotmail refused because they came from non-Hotmail email addresses.
At this point it's hard to see a point to continuing to accept Hotmail's email. And it's not like Hotmail shows any signs of dealing with their problem; they've offloaded it onto the rest of us.
On to other stats. This week we received 13,175 email messages from 230 different IP addresses. Our SMTP server handled 22,087 sessions from 1,695 different IP addresses. Both of these numbers are about the same as last week.
Our connection volume is up from the depths of last week: 179,300 connections from at least 30,000 different IP addresses.
Tuesday is responsible for more than a third of the connections all on its own, with a spillover into Wednesday and a bit of a spike on Wednesday. Otherwise things are pretty close to last week's daily rates.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11 11730 548K 18.104.22.168/28 10428 584K 22.214.171.124 7892 369K 126.96.36.199/24 7723 386K 188.8.131.52/10 7210 351K 184.108.40.206 6128 309K 220.127.116.11 4675 281K 18.104.22.168 4410 212K 22.214.171.124 3577 172K 126.96.36.199 3286 158K
This is a skewed distribution, but not as skewed as last week.
188.8.131.52 continue to send us bad
- 184.108.40.206 is an etpi.com.ph machine with no reverse DNS.
- 220.127.116.11 is a giga.net.tw cablemodem.
- 18.104.22.168 and 22.214.171.124 both tripped our spamtraps and then persistently kept trying to mail us.
Connection time rejection stats:
16386 total 8270 dynamic IP 4714 bad or no reverse DNS 1407 class bl-cbl 662 class bl-ordb 504 class bl-sbl 224 class bl-spews 90 class bl-dsbl 71 class bl-sdul 54 class bl-njabl 2 class bl-opm
The dynamic IP category jumped in significant part due to just one machine, 126.96.36.199 (a wanadoo.fr dialup), trying 1,796 times to connect before it got blocked harder. (And this happened on Tuesday.)
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I'm not going to try to read meaning into the changed bounce count.
There were definitely some quite persistent sources of bad
names this week.