Weekly spam summary on November 26th, 2005
This week we received 20,583 email messages from 213 different IP addresses. Our SMTP server handled 21,213 sessions from 1,044 different IP addresses. This is a significant jump in incoming email compared to last week.
We saw a major jump in connections compared to last week: 238,300 connections from at least 32,400 different IP addresses. Broken down by day, it goes:
While Thursday is the day when we're slowest to add entries to the kernel level blocks, I don't think that's the sole explanation for the general habit of connection rates to spike then. (And they were already ramping up on Wednesday and slowly ramping down on Friday, too.)
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11/24 8102 420K 18.104.22.168 4596 221K 22.214.171.124 2930 141K 126.96.36.199 2895 174K 188.8.131.52 2597 132K 184.108.40.206/28 2395 134K 220.127.116.11 2248 114K 18.104.22.168 2230 107K 22.214.171.124 2173 130K 126.96.36.199/10 2145 113K
The kernel level hits are way down even compared to last week, with only two really active sources by our usual standards.
- 188.8.131.52 still has no PTR record; 184.108.40.206 continues to be in SBL34212.
- 220.127.116.11 is a PacBell DSL line
- 18.104.22.168 is a giga.net.tw cablemodem.
- 22.214.171.124 is a gnax.net machine that's on the CBL.
- 126.96.36.199 fed us a bad
HELOname a lot.
- 188.8.131.52 is a vol.cz machine that was blocked for repeatedly trying to send us mail that had already tripped our spamtraps. I suspect that it is a webmail system, and we know how that story usually goes.
This continues the trend of bad
HELOs being much less frequent
around here. It's possible that people are actually starting to fix
their mailers, although I'm not going to hold my breath.
Connection time rejection stats:
23767 total 14756 dynamic IP 5535 bad or no reverse DNS 2075 class bl-cbl 414 class bl-sbl 269 class bl-sdul 237 class bl-ordb 215 class bl-dsbl 52 class bl-spews 23 class bl-njabl 2 class bl-opm
Taking pride of place and explaining some of Thursday's numbers is 184.108.40.206, a bigpond.net.au cablemodem, which tried to connect to us 7,296 times before it gave up. (It may explain some of Wednesday's numbers too, as it started that evening.)
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
These numbers have dropped to amazingly low levels. I'm going to hold my breath that this keeps up. (Although some of the bounce reduction is from spammers and viruses starting to forge things like 'hostmaster' instead of random usernames.)
And finally, we have the usual depressing Hotmail numbers:
- ten email messages accepted.
- 299 messages rejected because they came from non-Hotmail email addresses.
- 26 messages refused because their sender addresses had already hit our spamtraps.
- 9 messages refused due to their origin IP address (6 in the SBL, two from SAIX, one from Nigeria).
Ten email messages accepted from Hotmail is quite high, and it looks like a fair number of them were non-spam (and more than a few spam, unfortunately). Given the other numbers this looks less like Hotmail getting any sort of handle on their spam issue and more like some people starting to use Hotmail.