Weekly spam summary on November 19th, 2005

November 20, 2005

Once again, I'm leading with Hotmail's stats to highlight their spam problem:

  • three email messages accepted.
  • 320 messages refused because they came from non-Hotmail email addresses.
  • 22 messages refused because their sender addresses had already hit our spamtraps.
  • 21 messages refused due to their originating IP address (17 in the SBL, two in the CBL, one in the XBL, one because it's from Gilat-Satcom).

Gilat-Satcom is a serious problem here; it has quite a number of SBL listings for advance fee fraud spam sources (and many of them through Hotmail), yet nothing happens.

This week we received 12,759 email messages from 224 different IP addresses. Our SMTP server handled 20,329 sessions from 1,350 different IP addresses. Both of these numbers are about the same as last week.

Our connection volume is even lower than two weeks ago: 80,250 connections from at least 27,670 different IP addresses. This is probably a record low. This time around, the connection count by day numbers drop below 10,000 for Thursday onwards; I'm not going to bother with a table.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24      11402    595K
66.154.124.0/28        9758    546K
72.41.4.3              7319    439K
61.128.0.0/10          5449    272K
212.175.13.129         5020    264K
130.69.197.3           3922    235K
219.71.176.89          3452    166K
66.230.161.178         2458    147K
216.7.201.43           2302    110K
66.62.47.57            2270    136K
  • 72.41.4.3 is an opentransfer.com machine; we don't talk to them due to too much spam.
  • returning from previous listings are 130.69.197.3 (still tried to mail us with origin addresses that had tripped our spamtraps), 219.71.176.89 (still a giga.net.tw dynamic IP address), and 216.7.201.43 (bad HELO).
  • 66.62.47.57 is in SBL34212.
  • 212.175.13.129 was on the DSBL, but has been delisted during the week.
  • 66.230.161.178 kept trying to mail us with an origin address that had tripped our spamtraps.

This has clearly been a really slow week for bad HELO names.

Connection time rejection stats:

  14635 total
   7050 dynamic IP
   4316 bad or no reverse DNS
   1627 class bl-cbl
    496 class bl-sbl
    376 class bl-ordb
    197 class bl-dsbl
    153 class bl-sdul
    135 class bl-spews
     25 class bl-njabl
      2 class bl-opm

No single IP address stands out in this week's statistics.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 3011 166 3613 165
Bad bounces 387 265 774 570

Bounces are significantly down from the already low numbers for last week. Perhaps spammers have finally given up on forging us as the origin address for their spams? (A weary postmaster can dream.)

Written on 20 November 2005.
« Solaris 9 sendmail irritations
Why I don't write 'if (NULL == foo)' in C code »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Nov 20 01:59:30 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.