Weekly spam summary on December 17th, 2005
To start with, Hotmail's numbers:
- 3 emails accepted from Hotmail, at least two of them likely spam.
- 263 messages rejected because they came from non-Hotmail email addresses.
- 106 messages sent to our spamtraps.
- 33 messages refused because their sender addresses had already hit our spamtraps.
- 6 messages refused due to their origin IP address (five for being in the SBL, and one from Nigeria).
Despite all of these crappy numbers, we've determined that we get at least some legitimate and wanted email from Hotmail, so we will not be blocking them entirely. Oh well. Dear Hotmail: please fix your spam problems.
On the rest of the numbers:
This week we received 16,179 email messages from 209 different IP addresses. Our SMTP server handled 23,552 sessions from 2,014 different IP addresses. Email volume is slightly down from last week, although session volume is up significantly and the number of sources has doubled.
Connection volume is up significantly from last week: 150,000 connections from at least 42,800 different IP addresses. Again there is a significant jump in the number of different IP addresses trying to talk to us.
Most of the week looks relatively ordinary (although overall higher than last week), but come Friday and we see a significant upturn. I suspect that this trend will continue on through next week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52 6694 402K 184.108.40.206 5600 269K 220.127.116.11 5552 266K 18.104.22.168 5047 242K 22.214.171.124 4860 292K 126.96.36.199/24 3766 187K 188.8.131.52 2620 131K 184.108.40.206 2475 126K 220.127.116.11 2209 106K 18.104.22.168 2108 101K
Apart from Telecom Italia's outgoing mail servers, this is all individual hosts.
- Only 22.214.171.124 returns from before.
- 126.96.36.199 is a fastwebnet.it machine; we don't talk to any of them due to too much spam.
- 188.8.131.52, 184.108.40.206, and 220.127.116.11 are all what we consider 'dialup' machines.
- 18.104.22.168 is on the ORDB.
- 22.214.171.124 is on the CBL.
- 126.96.36.199 and 188.8.131.52 are both lacking in good reverse DNS.
- 184.108.40.206 sent us too many unresolvable
The overall packet counts are up somewhat over last week.
Connection time rejection stats:
29999 total 14435 dynamic IP 8935 bad or no reverse DNS 4243 class bl-cbl 620 class bl-sbl 497 class bl-ordb 326 class bl-sdul 249 class bl-dsbl 222 class bl-spews 54 class bl-njabl 11 class bl-opm
The 'dynamic IP' and CBL numbers have jumped significantly, without having any one single source. It looks like spammers have started up targeting our users with significant spam runs, most of which we have hopefully refused.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I'm not surprised by the sudden jump in both of these numbers, although I'm not thrilled either (especially by the jump in bad bounces, since that means spammers are back to forging us into the origin addresses of their spams).