Weekly spam summary on December 10th, 2005

December 11, 2005

Once again I'll lead with Hotmail's spam numbers, because they continue to be bad:

  • one email accepted (probably spam).
  • 218 messages rejected because they came from non-Hotmail email addresses.
  • 111 messages sent to our spamtraps.
  • 30 messages refused because their sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (all for being in the SBL).

Now, on to the general numbers.

This week we received 17,296 email messages from 202 different IP addresses. Our SMTP server handled 18,730 sessions from 998 different IP addresses. This is about the same as last week, and once again we have two very active local users (6,993 and 4,302 messages) and the Linux kernel mailing list (2,225 messages) as a good part of the volume.

Connection volume is down from last week: 85,479 connections from at least 29,652 different IP addresses. The drop in the number of different IP addresses trying to send us mail is interesting. Broken down by day it goes:

Day Connections different IPs
Sunday 12,220 +4,480
Monday 12,910 +4,590
Tuesday 14,600 +5,070
Wednesday 11,270 +4,070
Thursday 12,140 +4,670
Friday 12,720 +3,750
Saturday 9,600 +3,010

Apart from a slight spike on Tuesday, this is basically flat. I'll probably not bother to report such flat numbers in detail in the future. (This table is still built by hand in a relatively hacky way. Besides, it takes up space.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes       5708    282K           5292    269K          3813    178K            3179    191K          2982    144K           2684    129K         2621    157K        2275    109K          2050   98400         1861   95064

This week's kernel level rejection stats are remarkably low.

  • is a Deutsche Telekom block, apparently all dialups. DT has a serious open proxy problem, one virulent enough that we have firewalled their entire IP blocks for some time rather than play whack-a-mole.
  • reappearing from before are,, and (Two of them from last week, even.)
  • is on list.dsbl.org.
  • is a Chinese IP address with no reverse DNS.
  • and both tried to feed us bad HELO names too often. Since is a rima-tde.net IP address (with generic reverse DNS), I'm not terribly charitable towards it to start with. is interesting; it is one of the machines that are 'smtpout.btconnect.com', but it HELO'd repeatedly as 'hesl02uker.he.local'.

Connection time rejection stats:

  15345 total
   7443 dynamic IP
   4688 bad or no reverse DNS
   1816 class bl-cbl
    325 class bl-ordb
    305 class bl-sbl
    300 class bl-dsbl
    139 class bl-spews
    103 class bl-njabl
    101 class bl-sdul
      8 class bl-opm

There are no particularly prolific single IP addresses.

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 716 67 704 65
Bad bounces 135 99 178 118

Bounces continue to slide, leading me to hope that spammers have more or less given up forging our domains as the MAIL FROM of their spam runs. The clear champion of bad HELO names is, a PacBell ADSL line (sigh); comes in third.

(This is somewhat variable, as we don't promote IP addresses into the kernel blocklists on any predictable schedule. Possibly I should change that.)

Written on 11 December 2005.
« How not to set up your DNS (part 6)
Waiting for both network IO and inter-thread notifications »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Dec 11 00:40:54 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.