Weekly spam summary on January 21st, 2005

January 22, 2006

I'm going to lead with the Hotmail spam numbers, because they continue to be catastrophic.

  • two emails accepted, both from spamlike Hotmail usernames.
  • 376 messages rejected because they came from non-Hotmail email addresses.
  • 134 messages sent to our spamtraps.
  • 17 messages refused because their sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (four for being in the SBL and one for being sent from SAIX, which has an advance fee fraud spam problem).

Happily, the rest of the weekly numbers are much better.

This week we received 13,873 email messages from 213 different IP addresses. Our SMTP server handled 17,484 sessions from 933 different IP addresses. This is about the same volume as last week.

Connection volume is up a bit from last week: 143,447 connections from at least 50,890 different IP addresses. The simultaneous connections highwater was only 27, so burst volume is down from last week. Per day figures:

Day Connections different IPs
Sunday 18,485 +7,424
Monday 22,674 +8,480
Tuesday 19,095 +7,319
Wednesday 23,177 +8,463
Thursday 22,501 +6,491
Friday 21,001 +6,712
Saturday 16,514 +6,009

Overall this seems to have been a more even week than last week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes         5060    248K           5013    301K          4866    292K       4527    218K          3970    201K         3389    194K          3280    141K         3263    157K            2660    160K         2576    126K

This is a slow week for the kernel top ten, slow enough that quite a lot of large blocks make the list.

  • and both return from last week.
  • is a centrum.cz machine; we haven't talked to them for ages. Another one in the same subnet made the list last week.
  • is a telefonica.net machine we have had blocked for ages as a source of bad HELO names.
  • is an Adelphia IP address that looks dynamic to us, and is widely listed on any number of DNS blocklists.

Connection time rejection stats:

  30429 total
  16005 dynamic IP
   9483 bad or no reverse DNS
   2779 class bl-cbl
    564 class bl-ordb
    436 class bl-sbl
    192 class bl-dsbl
    181 class bl-spews
    152 class bl-sdul
     94 class bl-njabl
     15 class bl-opm

No surprises and no particularly big single sources, although tried hard (271 connections, blocked for being in APNIC without good reverse DNS). Only 8 of the top 30 IP sources were in the CBL this time around; three were on the SBL and 12 are currently listed in bl.spamcop.net.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 180 41 880 97
Bad bounces 37 31 308 83

These numbers have cratered since last week; they may be our lowest ever. A quarter of the bad HELO names came from a single IP address,

Written on 22 January 2006.
« Please have stable ids for your feed entries
Why case independent filenames are a bad idea »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jan 22 02:50:08 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.