Weekly spam summary on February 4th, 2006
Hotmail seems to be shuffling its numbers around significantly this week, to my surprise. I'm not sure the result is really better, but it's certainly different:
- 4 email messages accepted from Hotmail, although 3 of them look a lot like typical advance fee fraud spam Hotmail addresses.
- only 79 messages rejected because they came from non-Hotmail email addresses.
- 138 messages sent to our spamtraps.
- 27 messages refused because their sender addresses had already hit our spamtraps.
- 20 messages refused due to their origin IP address (9 for being in the SBL, then a wide assortment I'm too lazy to break down in detail).
Everything is up except the non-Hotmail email address rejections, which have cratered. Maybe spammers have decided to give up on them and restrict themselves to strictly Hotmail addresses? Who knows.
The basic stats:
- got 14,233 email messages from 230 different IP addresses.
- handled 17,694 SMTP sessions from 941 different IP addresses.
- received 130,000 connections from at least 52,159 different IP addresses.
- only a highwater of 7 pending connections being processed at once.
All of this is just about the same as last week. The per-day table has no interesting fluctuations, so I'm skipping it.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 6062 364K 126.96.36.199/24 5540 273K 188.8.131.52 4317 202K 184.108.40.206 3939 236K 220.127.116.11/11 3637 180K 18.104.22.168/10 3598 187K 22.214.171.124 3491 209K 126.96.36.199 2913 163K 188.8.131.52 2582 127K 184.108.40.206 2414 145K
Overall, I'd say the kernel level blocks were a little quieter than last week.
- 220.127.116.11 and 18.104.22.168 reappear from last week
- 22.214.171.124 reappears from December 2005,
still with an unresolvable
- 126.96.36.199 is in SBL37385.
- 188.8.131.52 used an unresolvable
- 184.108.40.206 is yet another centrum.cz machine.
- 220.127.116.11 repeatedly tried to send more mail from something that had tripped our spamtraps.
Connection time rejection stats:
26458 total 13291 dynamic IP 8813 bad or no reverse DNS 3267 class bl-cbl 308 class bl-sbl 133 class bl-dsbl 70 class bl-njabl 67 class bl-sdul 66 class bl-spews 35 class bl-ordb 5 class bl-opm
Only one machine really hammered on the frontend this week;
18.104.22.168 made 202 connection attempts before we blocked it harder
for being in SBL37385. 17 of the top 30 rejected source IPs are
in the CBL this week, three in the SBL (22.214.171.124, plus
and 6 are currently in
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
There's no really big single source of bad
HELOs, unlike last week;
126.96.36.199, at 74 before it went into the kernel blocks, is the
highest. At least the numbers are relatively low.