Weekly spam summary on December 10th, 2005
Once again I'll lead with Hotmail's spam numbers, because they continue to be bad:
- one email accepted (probably spam).
- 218 messages rejected because they came from non-Hotmail email addresses.
- 111 messages sent to our spamtraps.
- 30 messages refused because their sender addresses had already hit our spamtraps.
- 5 messages refused due to their origin IP address (all for being in the SBL).
Now, on to the general numbers.
This week we received 17,296 email messages from 202 different IP addresses. Our SMTP server handled 18,730 sessions from 998 different IP addresses. This is about the same as last week, and once again we have two very active local users (6,993 and 4,302 messages) and the Linux kernel mailing list (2,225 messages) as a good part of the volume.
Connection volume is down from last week: 85,479 connections from at least 29,652 different IP addresses. The drop in the number of different IP addresses trying to send us mail is interesting. Broken down by day it goes:
Apart from a slight spike on Tuesday, this is basically flat. I'll probably not bother to report such flat numbers in detail in the future. (This table is still built by hand in a relatively hacky way. Besides, it takes up space.)
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124/24 5708 282K 126.96.36.199 5292 269K 188.8.131.52 3813 178K 184.108.40.206 3179 191K 220.127.116.11/12 2982 144K 18.104.22.168 2684 129K 22.214.171.124 2621 157K 126.96.36.199 2275 109K 188.8.131.52 2050 98400 184.108.40.206/12 1861 95064
This week's kernel level rejection stats are remarkably low.
- 220.127.116.11/12 is a Deutsche Telekom block, apparently all dialups. DT has a serious open proxy problem, one virulent enough that we have firewalled their entire IP blocks for some time rather than play whack-a-mole.
- reappearing from before are 18.104.22.168, 22.214.171.124, and 126.96.36.199. (Two of them from last week, even.)
- 188.8.131.52 is on list.dsbl.org.
- 184.108.40.206 is a Chinese IP address with no reverse DNS.
- 220.127.116.11 and 18.104.22.168 both tried to feed us bad
HELOnames too often. Since 22.214.171.124 is a rima-tde.net IP address (with generic reverse DNS), I'm not terribly charitable towards it to start with. 126.96.36.199 is interesting; it is one of the machines that are 'smtpout.btconnect.com', but it
HELO'd repeatedly as 'hesl02uker.he.local'.
Connection time rejection stats:
15345 total 7443 dynamic IP 4688 bad or no reverse DNS 1816 class bl-cbl 325 class bl-ordb 305 class bl-sbl 300 class bl-dsbl 139 class bl-spews 103 class bl-njabl 101 class bl-sdul 8 class bl-opm
There are no particularly prolific single IP addresses.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Bounces continue to slide, leading me to hope that spammers have more
or less given up forging our domains as the
MAIL FROM of their spam
runs. The clear champion of bad
HELO names is 188.8.131.52, a
PacBell ADSL line (sigh); 184.108.40.206 comes in third.
(This is somewhat variable, as we don't promote IP addresses into the kernel blocklists on any predictable schedule. Possibly I should change that.)