Weekly spam summary on February 11th, 2006

February 12, 2006

Hotmail has been startlingly quiet this week. The numbers:

  • One message accepted.
  • 24 messages rejected because they came from non-Hotmail email addresses.
  • 68 messages sent to our spamtraps.
  • 23 messages refused because their sender addresses had already hit our spamtraps.
  • 10 messages refused due to their origin IP address (two in the SBL, one in the CBL, and then the rest from an assortment of places we pretty much don't talk to any more).

Hotmail may actually be dealing with its spam problems. Or this week might be an anomaly; I expect I'll be dubious about Hotmail for quite a while.

The basic stats:

  • got 14,062 messages from 224 different IP addresses.
  • handled 27,174 sessions from 1,771 different IP addresses.
  • received 161,000 connections from at least 53,153 different IP addresses.
  • a highwater of 16 connections being checked at once.

The session and connection volume is up from last week. Connection volume fluctuates significantly during the week:

Day Connections different IPs
Sunday 18,588 +8,532
Monday 22,867 +9,203
Tuesday 21,045 +7,389
Wednesday 23,197 +6,951
Thursday 35,896 +7,632
Friday 23,177 +7,674
Saturday 16,074 +5,772

(Unfortunately, Thursday's numbers may be because of something I did that day. It seems I really should automate more things.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24       5455    276K
61.128.0.0/10          5218    272K
220.160.0.0/11         2820    142K
209.11.168.39          2692    133K
69.105.51.114          2561    120K
218.0.0.0/11           2396    121K
219.128.0.0/12         2133    109K
221.216.0.0/13         2000    100K
69.212.116.115         1948   91074
24.248.0.70            1906   89108

This week is even quieter than last week, plus has a lot more Chinese netblocks making the list (although tin.it earned top place). Of the rest:

  • 209.11.168.39 and 69.105.51.114 reappear from last week.
  • 69.212.116.115 kept trying to feed us an unresolvable HELO name.
  • 24.248.0.70 is a cox.net cablemodem customer with a 'dialup' reverse DNS.

Connection time rejection stats:

  31235 total
  15286 dynamic IP
  10452 bad or no reverse DNS
   3413 class bl-cbl
    403 class bl-sbl
    335 class bl-dsbl
    331 class bl-spews
    114 class bl-sdul
     51 class bl-ordb
     37 class bl-njabl
     11 class bl-opm

This was a big week for hammering on the frontend; 22 IP addresses were refused 100 times or more, with the winner being 202.57.119.43 at 364 connections refused for having no reverse DNS. This week marks a record, with none of the top 30 refused IPs being in the CBL; three are in the SBL (209.9.147.162 and 209.9.147.173 in SBL37385, and 203.177.14.234 in SBL34872).

In other trivial, 65.109.239.171 aka tucksprofessionalservices.com is still trying to spam us. Better luck next incarnation; you've blown this one.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 8422 248 357 36
Bad bounces 814 557 87 55

Oh look; massively up compared to the past couple of weeks. I guess spammers are forging us as the MAIL FROM again. 34 different IP addresses tried bad HELOs a hundred times or more; the really big ones are 69.105.51.114 (367 times), 63.105.86.51 (269 times), and 67.77.182.186 (237 times).

Written on 12 February 2006.
« The return of how to get your web spider banned
The problem with <pre> »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Feb 12 01:33:18 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.