Weekly spam summary on March 4th, 2006

March 5, 2006

It's time for another weekly spam summary. First, let's look at Hotmail, which turns out to be running roughly the same as last week:

  • no messages accepted.
  • 12 messages rejected because they came from non-Hotmail email addresses.
  • 49 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 6 messages refused due to their origin IP address (two in the SBL, one in each of the XBL and the CBL, one from Nigeria, and one from SAIX).

Hotmail might get points, except for two things: first, the spamtrap hits still show that far too much spam is coming from Hotmail, and second Hotmail started letting their webmail spammers use 'user@sympatico.ca' addresses this week. I feel for the Sympatico users who are about to get their email dumped by all sorts of people as a result of this.

The basic volume numbers:

  • got 13,466 messages from 215 different IP addresses.
  • handled 17,446 sessions from 769 different IP addresses.
  • received 122,475 connections from at least 43,529 different IP addresses.
  • a highwater of 11 connections being checked at once.

All of this is slightly down from last week (except for the highwater, which means we had a larger burst of connections some time this week). The per day numbers are remarkably flat:

Day Connections different IPs
Sunday 16,862 +7,000
Monday 18,662 +6,770
Tuesday 18,571 +6,273
Wednesday 15,914 +5,448
Thursday 18,263 +6,027
Friday 18,700 +6,287
Saturday 15,503 +5,724

I have no explanation for the dip on Wednesday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
200.46.208.94          7106    361K
61.128.0.0/10          4000    211K
212.216.176.0/24       3980    193K
80.190.233.48          2914    175K
88.225.43.100          2242    103K
220.160.0.0/11         2123    109K
205.206.209.28         2017   92872
219.128.0.0/12         1964    101K
212.154.186.245        1961   94128
221.216.0.0/13         1908   97452
  • 200.46.208.94 tripped our spamtrap detectors and then kept on mailing, I believe with phish email.
  • 80.190.233.48 and 205.206.209.28 reappear from last week.
  • 88.225.43.100 is a Turkish IP address that's on the CBL.
  • 212.154.186.245 is a Kazakhstan IP address in dnsbl.njabl.org as an open relay.

Connection time rejection stats:

  25306 total
  12030 dynamic IP
   9292 bad or no reverse DNS
   2784 class bl-cbl
    292 class bl-ordb
    179 class bl-dsbl
    121 class bl-spews
    104 class bl-sbl
     98 class bl-sdul
     43 class bl-njabl
     27 class bl-opm

Only one IP address, 221.139.219.164, was refused more than 100 times. Thirteen of the top 30 most refused IPs are currently in the CBL and eight are currently in bl.spamcop.net; none are in the SBL.

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 331 34 1736 123
Bad bounces 119 45 249 122

This is about back to the old low numbers at last. The leading contestant in the bad HELO numbers is 62.49.123.163 (claiming to be webserver.nss.local), with 141 rejections.

Written on 05 March 2006.
« os.walk can be surprisingly slow
A thought about Technorati »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Mar 5 02:54:58 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.