Weekly spam summary on March 4th, 2006
It's time for another weekly spam summary. First, let's look at Hotmail, which turns out to be running roughly the same as last week:
- no messages accepted.
- 12 messages rejected because they came from non-Hotmail email addresses.
- 49 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 6 messages refused due to their origin IP address (two in the SBL, one in each of the XBL and the CBL, one from Nigeria, and one from SAIX).
Hotmail might get points, except for two things: first, the spamtrap hits still show that far too much spam is coming from Hotmail, and second Hotmail started letting their webmail spammers use 'email@example.com' addresses this week. I feel for the Sympatico users who are about to get their email dumped by all sorts of people as a result of this.
The basic volume numbers:
- got 13,466 messages from 215 different IP addresses.
- handled 17,446 sessions from 769 different IP addresses.
- received 122,475 connections from at least 43,529 different IP addresses.
- a highwater of 11 connections being checked at once.
All of this is slightly down from last week (except for the highwater, which means we had a larger burst of connections some time this week). The per day numbers are remarkably flat:
I have no explanation for the dip on Wednesday.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11 7106 361K 18.104.22.168/10 4000 211K 22.214.171.124/24 3980 193K 126.96.36.199 2914 175K 188.8.131.52 2242 103K 184.108.40.206/11 2123 109K 220.127.116.11 2017 92872 18.104.22.168/12 1964 101K 22.214.171.124 1961 94128 126.96.36.199/13 1908 97452
- 188.8.131.52 tripped our spamtrap detectors and then kept on mailing, I believe with phish email.
- 184.108.40.206 and 220.127.116.11 reappear from last week.
- 18.104.22.168 is a Turkish IP address that's on the CBL.
- 22.214.171.124 is a Kazakhstan IP address in dnsbl.njabl.org as an open relay.
Connection time rejection stats:
25306 total 12030 dynamic IP 9292 bad or no reverse DNS 2784 class bl-cbl 292 class bl-ordb 179 class bl-dsbl 121 class bl-spews 104 class bl-sbl 98 class bl-sdul 43 class bl-njabl 27 class bl-opm
Only one IP address, 126.96.36.199, was refused more than 100 times.
Thirteen of the top 30 most refused IPs are currently in the CBL and
eight are currently in
bl.spamcop.net; none are in the SBL.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This is about back to the old low numbers at
last. The leading contestant in the bad
HELO numbers is 188.8.131.52
(claiming to be
webserver.nss.local), with 141 rejections.