Weekly spam summary on December 17th, 2005
To start with, Hotmail's numbers:
- 3 emails accepted from Hotmail, at least two of them likely spam.
- 263 messages rejected because they came from non-Hotmail email addresses.
- 106 messages sent to our spamtraps.
- 33 messages refused because their sender addresses had already hit our spamtraps.
- 6 messages refused due to their origin IP address (five for being in the SBL, and one from Nigeria).
Despite all of these crappy numbers, we've determined that we get at least some legitimate and wanted email from Hotmail, so we will not be blocking them entirely. Oh well. Dear Hotmail: please fix your spam problems.
On the rest of the numbers:
This week we received 16,179 email messages from 209 different IP addresses. Our SMTP server handled 23,552 sessions from 2,014 different IP addresses. Email volume is slightly down from last week, although session volume is up significantly and the number of sources has doubled.
Connection volume is up significantly from last week: 150,000 connections from at least 42,800 different IP addresses. Again there is a significant jump in the number of different IP addresses trying to talk to us.
Most of the week looks relatively ordinary (although overall higher than last week), but come Friday and we see a significant upturn. I suspect that this trend will continue on through next week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168 6694 402K 22.214.171.124 5600 269K 126.96.36.199 5552 266K 188.8.131.52 5047 242K 184.108.40.206 4860 292K 220.127.116.11/24 3766 187K 18.104.22.168 2620 131K 22.214.171.124 2475 126K 126.96.36.199 2209 106K 188.8.131.52 2108 101K
Apart from Telecom Italia's outgoing mail servers, this is all individual hosts.
- Only 184.108.40.206 returns from before.
- 220.127.116.11 is a fastwebnet.it machine; we don't talk to any of them due to too much spam.
- 18.104.22.168, 22.214.171.124, and 126.96.36.199 are all what we consider 'dialup' machines.
- 188.8.131.52 is on the ORDB.
- 184.108.40.206 is on the CBL.
- 220.127.116.11 and 18.104.22.168 are both lacking in good reverse DNS.
- 22.214.171.124 sent us too many unresolvable
The overall packet counts are up somewhat over last week.
Connection time rejection stats:
29999 total 14435 dynamic IP 8935 bad or no reverse DNS 4243 class bl-cbl 620 class bl-sbl 497 class bl-ordb 326 class bl-sdul 249 class bl-dsbl 222 class bl-spews 54 class bl-njabl 11 class bl-opm
The 'dynamic IP' and CBL numbers have jumped significantly, without having any one single source. It looks like spammers have started up targeting our users with significant spam runs, most of which we have hopefully refused.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I'm not surprised by the sudden jump in both of these numbers, although I'm not thrilled either (especially by the jump in bad bounces, since that means spammers are back to forging us into the origin addresses of their spams).