Weekly spam summary on November 26th, 2005

November 27, 2005

This week we received 20,583 email messages from 213 different IP addresses. Our SMTP server handled 21,213 sessions from 1,044 different IP addresses. This is a significant jump in incoming email compared to last week.

We saw a major jump in connections compared to last week: 238,300 connections from at least 32,400 different IP addresses. Broken down by day, it goes:

Day Connections different IPs
Sunday 9,130 +4,370
Monday 14,440 +5.970
Tuesday 12,490 +4,400
Wednesday 54,860 +4,660
Thursday 111,750 +4,300
Friday 22,900 +4,560
Saturday 12,730 +4,150

While Thursday is the day when we're slowest to add entries to the kernel level blocks, I don't think that's the sole explanation for the general habit of connection rates to spike then. (And they were already ramping up on Wednesday and slowly ramping down on Friday, too.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes       8102    420K          4596    221K         2930    141K            2895    174K           2597    132K        2395    134K         2248    114K         2230    107K            2173    130K          2145    113K

The kernel level hits are way down even compared to last week, with only two really active sources by our usual standards.

  • still has no PTR record; continues to be in SBL34212.
  • is a PacBell DSL line
  • is a giga.net.tw cablemodem.
  • is a gnax.net machine that's on the CBL.
  • fed us a bad HELO name a lot.
  • is a vol.cz machine that was blocked for repeatedly trying to send us mail that had already tripped our spamtraps. I suspect that it is a webmail system, and we know how that story usually goes.

This continues the trend of bad HELOs being much less frequent around here. It's possible that people are actually starting to fix their mailers, although I'm not going to hold my breath.

Connection time rejection stats:

  23767 total
  14756 dynamic IP
   5535 bad or no reverse DNS
   2075 class bl-cbl
    414 class bl-sbl
    269 class bl-sdul
    237 class bl-ordb
    215 class bl-dsbl
     52 class bl-spews
     23 class bl-njabl
      2 class bl-opm

Taking pride of place and explaining some of Thursday's numbers is, a bigpond.net.au cablemodem, which tried to connect to us 7,296 times before it gave up. (It may explain some of Wednesday's numbers too, as it started that evening.)

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 682 76 3011 166
Bad bounces 190 98 387 265

These numbers have dropped to amazingly low levels. I'm going to hold my breath that this keeps up. (Although some of the bounce reduction is from spammers and viruses starting to forge things like 'hostmaster' instead of random usernames.)

And finally, we have the usual depressing Hotmail numbers:

  • ten email messages accepted.
  • 299 messages rejected because they came from non-Hotmail email addresses.
  • 26 messages refused because their sender addresses had already hit our spamtraps.
  • 9 messages refused due to their origin IP address (6 in the SBL, two from SAIX, one from Nigeria).

Ten email messages accepted from Hotmail is quite high, and it looks like a fair number of them were non-spam (and more than a few spam, unfortunately). Given the other numbers this looks less like Hotmail getting any sort of handle on their spam issue and more like some people starting to use Hotmail.

Written on 27 November 2005.
« How not to set up your DNS (part 2)
What Python's global interpreter lock does (and doesn't) protect »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Nov 27 01:16:55 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.