Weekly spam summary on December 3rd, 2005
I'll lead with Hotmail's spam numbers:
- four emails accepted, and I know for sure that two of them were spam.
- 239 messages rejected because they came from non-Hotmail email addresses.
- 24 messages refused because their sender addresses had already hit our spamtraps.
- 10 messages refused due to their origin IP address (5 in the SBL, 4 in the CBL, and one from Nigeria).
The case for banning Hotmail entirely becomes more and more compelling. It's probably time to raise it with the rest of my group and my manager.
For the rest of it, this week we received 17,371 email messages from 236 different IP addresses. Our SMTP server handled 18,603 sessions from 1,015 different IP addresses. This is slightly down from last week, but still well up on our historical trends.
Looking at the mail traffic, I think that this is due to mailing lists (especially local ones) becoming more active and more status monitoring emails, and only to a couple of local users. The top two local users got 7,000 messages and 4,250 messages this week; the next most popular human recipient got only 160.
Our connection volume is down from last week, back to what I consider the (new) normal: 103,500 connections from at least 34,600 different IP addresses. Broken down by day, it goes:
| Day | Connections | different IPs |
| Sunday | 12,920 | 5,200 |
| Monday | 17,000 | +5,590 |
| Tuesday | 15,750 | +5,660 |
| Wednesday | 20,630 | +6,580 |
| Thursday | 13,410 | +4,210 |
| Friday | 15,000 | +4,400 |
| Saturday | 8,800 | +2,960 |
While there's a little Wednesday peak, there was no Thursday jump; instead things fall off then, and continue to fall for the rest of the week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 65.110.13.98 8632 518K 212.216.176.0/24 8619 429K 81.56.74.165 8551 435K 201.245.43.254 7017 357K 66.62.47.34 4963 298K 66.62.47.57 4923 295K 65.110.13.99 4086 245K 207.14.219.245 3308 155K 210.103.205.230 3027 145K 193.41.153.65 2920 140K
- Only 193.41.153.65 reappears from
previous top listings, and that from a long time ago. It's one of
our permanent blocks for very fast retries on a bad
HELOname. - 65.110.13.98 is in SBL11354.
- 66.62.47.34 and 66.62.47.57 are part of SBL34212.
- 81.56.74.165 is a dialup-like proxad.net machine.
- 201.245.43.254 and 210.103.205.230 have bad or missing reverse DNS and are from areas (LACNIC and APNIC respectively) where we only accept connections from IP addresses with good reverse DNS. (210.103.205.230 is also in dnsbl.njabl.org.)
- 207.14.219.245 sent us bad
HELOnames too often (and is in bl.spamcop.net and several other DNSBls).
Unlike last week, we have a lot more entries with relatively high packet counts. But a lot of them look like spammers, as opposed to people trying to dump spam backscatter on us.
Connection time rejection stats:
24224 total
11287 dynamic IP
7981 bad or no reverse DNS
2641 class bl-cbl
586 class bl-ordb
535 class bl-sbl
307 class bl-dsbl
218 class bl-spews
176 class bl-sdul
150 class bl-njabl
7 class bl-opm
(As usual, other sources of connection time rejections are insignificant.)
There's no one as prolific as last week, although 68.207.108.73 and 210.207.185.214 made an attempt at it (both are in the CBL). In fact, five of the top 10 most prolific IP addresses are in the CBL; two are in the SBL, and three in dnsbl.njabl.org (two of which were also in list.dsbl.org). Despite the prolific DNSBl presence, the reasons for listing break down to one 'dialup', five lacking good reverse DNS, two in the SBL, and one each for list.dsbl.org and dnsbl.njabl.org.
I think I'll stop the breakdown now.
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
704 | 65 | 682 | 76 |
| Bad bounces | 178 | 118 | 190 | 98 |
This week we have fewer sources of bad HELO names, but they're a bit
more prolific; the most aggressive was 195.63.35.42, with 111
connections, followed by 212.248.13.106 with 66. (Last week the most
aggressive source had 52.)
|
|