Weekly spam summary on December 24th, 2005
Merry Christmas and happy holidays to all, and to the spammers a lump of coal since they do not seem to be taking time off at all.
This week we received 14,342 email messages from 206 different IP addresses. Our SMTP server handled 74,689 sessions from 6,178 different IP addresses. Received email is down from last week, which is no surprise since the university knocked off for Christmas holidays on Wednesday, but session volume is way up.
Connection volume is up too: 262,200 connections from at least 44,100 different IP addresses. Interestingly, total IP addresses aren't up all that much from last week. Broken down by days:
Apparently spammers get a real 'bah humbug', given the explosion in connections on Friday and especially Saturday, Christmas Eve.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168 37005 2220K 22.214.171.124 6782 303K 126.96.36.199 6153 313K 188.8.131.52 5205 259K 184.108.40.206 4552 213K 220.127.116.11 4264 196K 18.104.22.168 4037 189K 22.214.171.124 3996 226K 126.96.36.199 3965 185K 188.8.131.52 3676 169K
It's rare that all of the top ten are individual IP addresses, which goes to show how active the spam has been recently.
- 184.108.40.206 is a fastweb.it machine; we don't talk to them due to previous spam problems.
- Reappearing from before are 220.127.116.11, 18.104.22.168, and 22.214.171.124.
- 126.96.36.199 and 188.8.131.52 used bad
HELOnames a lot.
- 184.108.40.206 is on the CBL; from its hostname, it may be a NAT machine.
- 220.127.116.11 and 18.104.22.168 are both end-user machines, one a DSL line and one a cablemodem.
- 22.214.171.124 is in SPEWS due to UUNet's habit of continuing to take money from Eric Reinertsen.
Connection time rejection stats:
31796 total 16883 dynamic IP 7385 bad or no reverse DNS 3344 class bl-cbl 1749 class bl-spews 586 class bl-dsbl 460 class bl-ordb 435 class bl-sbl 265 class bl-sdul 28 class bl-opm 20 class bl-njabl
SPEWS has jumped a lot from last week, but everyone else seems to have held more or less to par. There are a number of pretty active sources, but no one over 277 connection rejections.
The other numbers are eye-opening:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This has been a catastrophic week for bad
HELO names and for
bounces. 126.96.36.199 sent us over 1600 bad
HELO names before
getting blocked, and there are a lot of people in the several hundred
range. (Partly this may be because we have been blocking people less
Bad bounces are not quite so voluminous, but all sorts of people upended hundreds on us, including AOL. The most active is 188.8.131.52, with 330 sessions. It seems clear that spammers have started forging our domains in their spam runs once again.
The Hotmail numbers are their usual dismal levels:
- 3 email messages accepted; at least one was likely spam.
- 250 messages rejected because they came from non-Hotmail email addresses.
- 71 messages sent to our spamtraps.
- 13 messages refused because their sender addresses had already hit our spamtraps.
- 5 messages refused due to their origin IP address (three for being in the SBL, one for being in the CBL, and one from Benin).
(This is a little bit lower than last week, so maybe some Hotmail spammers are taking time off.)