Weekly spam summary on December 3rd, 2005

December 4, 2005

I'll lead with Hotmail's spam numbers:

  • four emails accepted, and I know for sure that two of them were spam.
  • 239 messages rejected because they came from non-Hotmail email addresses.
  • 24 messages refused because their sender addresses had already hit our spamtraps.
  • 10 messages refused due to their origin IP address (5 in the SBL, 4 in the CBL, and one from Nigeria).

The case for banning Hotmail entirely becomes more and more compelling. It's probably time to raise it with the rest of my group and my manager.

For the rest of it, this week we received 17,371 email messages from 236 different IP addresses. Our SMTP server handled 18,603 sessions from 1,015 different IP addresses. This is slightly down from last week, but still well up on our historical trends.

Looking at the mail traffic, I think that this is due to mailing lists (especially local ones) becoming more active and more status monitoring emails, and only to a couple of local users. The top two local users got 7,000 messages and 4,250 messages this week; the next most popular human recipient got only 160.

Our connection volume is down from last week, back to what I consider the (new) normal: 103,500 connections from at least 34,600 different IP addresses. Broken down by day, it goes:

Day Connections different IPs
Sunday 12,920 5,200
Monday 17,000 +5,590
Tuesday 15,750 +5,660
Wednesday 20,630 +6,580
Thursday 13,410 +4,210
Friday 15,000 +4,400
Saturday 8,800 +2,960

While there's a little Wednesday peak, there was no Thursday jump; instead things fall off then, and continue to fall for the rest of the week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes           8632    518K       8619    429K           8551    435K         7017    357K            4963    298K            4923    295K           4086    245K         3308    155K        3027    145K          2920    140K
  • Only reappears from previous top listings, and that from a long time ago. It's one of our permanent blocks for very fast retries on a bad HELO name.
  • is in SBL11354.
  • and are part of SBL34212.
  • is a dialup-like proxad.net machine.
  • and have bad or missing reverse DNS and are from areas (LACNIC and APNIC respectively) where we only accept connections from IP addresses with good reverse DNS. ( is also in dnsbl.njabl.org.)
  • sent us bad HELO names too often (and is in bl.spamcop.net and several other DNSBls).

Unlike last week, we have a lot more entries with relatively high packet counts. But a lot of them look like spammers, as opposed to people trying to dump spam backscatter on us.

Connection time rejection stats:

  24224 total
  11287 dynamic IP
   7981 bad or no reverse DNS
   2641 class bl-cbl
    586 class bl-ordb
    535 class bl-sbl
    307 class bl-dsbl
    218 class bl-spews
    176 class bl-sdul
    150 class bl-njabl
      7 class bl-opm

(As usual, other sources of connection time rejections are insignificant.)

There's no one as prolific as last week, although and made an attempt at it (both are in the CBL). In fact, five of the top 10 most prolific IP addresses are in the CBL; two are in the SBL, and three in dnsbl.njabl.org (two of which were also in list.dsbl.org). Despite the prolific DNSBl presence, the reasons for listing break down to one 'dialup', five lacking good reverse DNS, two in the SBL, and one each for list.dsbl.org and dnsbl.njabl.org.

I think I'll stop the breakdown now.

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 704 65 682 76
Bad bounces 178 118 190 98

This week we have fewer sources of bad HELO names, but they're a bit more prolific; the most aggressive was, with 111 connections, followed by with 66. (Last week the most aggressive source had 52.)

Written on 04 December 2005.
« CBL listings broken down by ISP
Dropping packets versus rejecting them in firewall rules »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Dec 4 01:39:17 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.