Weekly spam summary on January 21st, 2005
I'm going to lead with the Hotmail spam numbers, because they continue to be catastrophic.
- two emails accepted, both from spamlike Hotmail usernames.
- 376 messages rejected because they came from non-Hotmail email addresses.
- 134 messages sent to our spamtraps.
- 17 messages refused because their sender addresses had already hit our spamtraps.
- 5 messages refused due to their origin IP address (four for being in the SBL and one for being sent from SAIX, which has an advance fee fraud spam problem).
Happily, the rest of the weekly numbers are much better.
This week we received 13,873 email messages from 213 different IP addresses. Our SMTP server handled 17,484 sessions from 933 different IP addresses. This is about the same volume as last week.
Connection volume is up a bit from last week: 143,447 connections from at least 50,890 different IP addresses. The simultaneous connections highwater was only 27, so burst volume is down from last week. Per day figures:
| Day | Connections | different IPs |
| Sunday | 18,485 | +7,424 |
| Monday | 22,674 | +8,480 |
| Tuesday | 19,095 | +7,319 |
| Wednesday | 23,177 | +8,463 |
| Thursday | 22,501 | +6,491 |
| Friday | 21,001 | +6,712 |
| Saturday | 16,514 | +6,009 |
Overall this seems to have been a more even week than last week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 219.128.0.0/12 5060 248K 213.29.7.171 5013 301K 202.157.144.3 4866 292K 212.216.176.0/24 4527 218K 61.128.0.0/10 3970 201K 205.178.145.65 3389 194K 213.4.129.135 3280 141K 68.234.100.168 3263 157K 66.62.47.57 2660 160K 221.216.0.0/13 2576 126K
This is a slow week for the kernel top ten, slow enough that quite a lot of large blocks make the list.
- 202.157.144.3 and 66.62.47.57 both return from last week.
- 213.29.7.171 is a centrum.cz machine; we haven't talked to them for ages. Another one in the same subnet made the list last week.
- 213.4.129.135 is a telefonica.net machine we have had blocked for
ages as a source of bad
HELOnames. - 68.234.100.168 is an Adelphia IP address that looks dynamic to us, and is widely listed on any number of DNS blocklists.
Connection time rejection stats:
30429 total
16005 dynamic IP
9483 bad or no reverse DNS
2779 class bl-cbl
564 class bl-ordb
436 class bl-sbl
192 class bl-dsbl
181 class bl-spews
152 class bl-sdul
94 class bl-njabl
15 class bl-opm
No surprises and no particularly big single sources, although 203.150.224.48 tried hard (271 connections, blocked for being in APNIC without good reverse DNS). Only 8 of the top 30 IP sources were in the CBL this time around; three were on the SBL and 12 are currently listed in bl.spamcop.net.
Other stats:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
180 | 41 | 880 | 97 |
| Bad bounces | 37 | 31 | 308 | 83 |
These numbers have cratered since last week; they may be our lowest
ever. A quarter of the bad HELO names came from a single IP address,
212.238.248.243.
|
|