Weekly spam summary on December 24th, 2005
Merry Christmas and happy holidays to all, and to the spammers a lump of coal since they do not seem to be taking time off at all.
This week we received 14,342 email messages from 206 different IP addresses. Our SMTP server handled 74,689 sessions from 6,178 different IP addresses. Received email is down from last week, which is no surprise since the university knocked off for Christmas holidays on Wednesday, but session volume is way up.
Connection volume is up too: 262,200 connections from at least 44,100 different IP addresses. Interestingly, total IP addresses aren't up all that much from last week. Broken down by days:
| Day | Connections | different IPs |
| Sunday | 22,860 | +7,080 |
| Monday | 21,190 | +6,460 |
| Tuesday | 20,760 | +6,060 |
| Wednesday | 21,370 | +6,430 |
| Thursday | 21,900 | +5,840 |
| Friday | 47,000 | +6,600 |
| Saturday | 107,110 | +5,640 |
Apparently spammers get a real 'bah humbug', given the explosion in connections on Friday and especially Saturday, Christmas Eve.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 213.140.2.73 37005 2220K 62.94.0.30 6782 303K 81.56.74.165 6153 313K 195.135.141.22 5205 259K 65.66.66.244 4552 213K 213.4.149.11 4264 196K 24.116.108.32 4037 189K 200.27.50.35 3996 226K 66.27.61.190 3965 185K 208.255.239.200 3676 169K
It's rare that all of the top ten are individual IP addresses, which goes to show how active the spam has been recently.
- 213.140.2.73 is a fastweb.it machine; we don't talk to them due to previous spam problems.
- Reappearing from before are 81.56.74.165, 195.135.141.22, and 213.4.149.11.
- 62.94.0.30 and 66.27.61.190 used bad
HELOnames a lot. - 195.135.141.22 is on the CBL; from its hostname, it may be a NAT machine.
- 65.66.66.244 and 24.116.108.32 are both end-user machines, one a DSL line and one a cablemodem.
- 208.255.239.200 is in SPEWS due to UUNet's habit of continuing to take money from Eric Reinertsen.
Connection time rejection stats:
31796 total
16883 dynamic IP
7385 bad or no reverse DNS
3344 class bl-cbl
1749 class bl-spews
586 class bl-dsbl
460 class bl-ordb
435 class bl-sbl
265 class bl-sdul
28 class bl-opm
20 class bl-njabl
SPEWS has jumped a lot from last week, but everyone else seems to have held more or less to par. There are a number of pretty active sources, but no one over 277 connection rejections.
The other numbers are eye-opening:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
36014 | 888 | 2088 | 169 |
| Bad bounces | 15449 | 3456 | 2754 | 738 |
This has been a catastrophic week for bad HELO names and for
bounces. 12.20.160.25 sent us over 1600 bad HELO names before
getting blocked, and there are a lot of people in the several hundred
range. (Partly this may be because we have been blocking people less
often.)
Bad bounces are not quite so voluminous, but all sorts of people upended hundreds on us, including AOL. The most active is 65.42.65.137, with 330 sessions. It seems clear that spammers have started forging our domains in their spam runs once again.
The Hotmail numbers are their usual dismal levels:
- 3 email messages accepted; at least one was likely spam.
- 250 messages rejected because they came from non-Hotmail email addresses.
- 71 messages sent to our spamtraps.
- 13 messages refused because their sender addresses had already hit our spamtraps.
- 5 messages refused due to their origin IP address (three for being in the SBL, one for being in the CBL, and one from Benin).
(This is a little bit lower than last week, so maybe some Hotmail spammers are taking time off.)
|
|