Weekly spam summary on December 31st, 2005
This week we received 12,270 email messages from 159 different IP addresses. Our SMTP server handled 31,972 sessions from 2,643 different IP addresses. Session volume is down from last week, which is a relief, although it's not back down to the historical levels yet.
However, connection volume has not dropped substantially from last week: 260,000 connections from at least 53,760 different IP addresses, with a highwater of 12 simultaneous connections being checked. Oddly, the number of different IPs has jumped substantially. Broken down by days:
The connections per day shows the major spam overhang from last weekend, followed by a fairly constant rain of incoming connections over the rest of the week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 19352 973K 126.96.36.199 18992 848K 188.8.131.52 7596 334K 184.108.40.206 6931 319K 220.127.116.11 6738 309K 18.104.22.168 6699 402K 22.214.171.124 6541 314K 126.96.36.199 5641 278K 188.8.131.52 5193 249K 184.108.40.206 5090 224K
- 220.127.116.11 got blocked for sending us too much spam backscatter, and apparently kept generating it quite actively.
- 18.104.22.168 continues from last week, still using its bad
- 22.214.171.124, 126.96.36.199, 188.8.131.52, and 184.108.40.206 all
HELOnames at us.
- 220.127.116.11 and 18.104.22.168 are both considered 'dialup' machines.
- 22.214.171.124 is terra.es's main outbound server and has been blocked here for ages for being an active spam source.
- 126.96.36.199 sent mail to a spamtrap and then kept trying to send
more email to us with the same
Connection time rejection stats:
46350 total 27594 dynamic IP 12425 bad or no reverse DNS 4438 class bl-cbl 527 class bl-spews 321 class bl-dsbl 247 class bl-sdul 191 class bl-sbl 97 class bl-ordb 16 class bl-opm 7 class bl-njabl
The CBL and generic 'dynamic/dialup' hits are up compared to last week and dominate the rejection rate, which is a strong sign that many of the connection attempts are spam delivery attempts from compromised machines. A number of IPs made hundreds of attempts to connect to us (the most active was 188.8.131.52, with 424 attempts), and of the top 30 connecting IPs, 24 of them are on the CBL.
The other numbers aren't as bad as last week, but they're still not pleasant:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I think that both dropping a lot show that most of this week's load is
direct spam, instead of backscatter from spammers forging our domains
And to round out the last entry of the (nominal) year, here's the less depressing than usual Hotmail numbers:
- five email messages accepted, at least one of which seems to have been a spam backscatter bounce.
- 100 messages rejected because they came from non-Hotmail email addresses.
- 36 messages sent to our spamtraps.
- 10 messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one for being in the SBL and one from a telkom.co.za DSL line that's also on the CBL).
Apparently a number of Hotmail's spammers do take the holidays off.
Welcome to 2006. May it have less spam than 2005.