Weekly spam summary on April 8th, 2006

April 9, 2006

This week, we:

  • got 12,551 messages from 234 different IP addresses.
  • handled 17,960 sessions from 979 different IP addresses.
  • received 444,512 connections from at least 44,262 different IP addresses.
  • hit a highwater of 50 connections being checked at once; 50 is the maximum number allowed.

Mail received and SMTP session volume is down a bit from last week, but connection volume has spiked to huge levels. The per day chart tells the story:

Day Connections different IPs
Sunday 20,811 +8,243
Monday 21,976 +7,866
Tuesday 29,198 +7,812
Wednesday 25,040 +5,678
Thursday 15,302 +4,392
Friday 236,135 +3,933
Saturday 96,050 +6,338

All I can say is yow. On Friday we had more connections than we usually have all week, and it's still going on today. Interestingly, the simultaneous connections highwater was hit Saturday, not Friday. (I don't have any explanation for the dip on Thursday; as usual, I could do with a program guide to the spammer show.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24       7552    374K
80.25.131.71           5182    293K
61.128.0.0/10          4314    219K
222.146.0.16           4261    210K
219.128.0.0/12         3612    176K
70.169.83.133          3013    145K
61.12.9.179            2928    149K
128.121.94.43          2638    130K
212.159.54.204         2278    116K
219.238.168.124        2271    109K

Overall this is actually down from last week. The specific IPs:

  • 80.25.131.71 is a rima-tde.net IP that we put into the 'dialup' class because its hostname looks too generic.
  • 222.146.0.16 and 128.121.94.43 both dinged us with apparent phish spam and then kept going (and going and going) once we blocked them.
  • 70.169.83.133 is a Cox cablemodem or something.
  • 61.12.9.179 is an Indian IP address with no reverse DNS.
  • 212.159.54.204 sent too many bad HELO names our way. (It's been a while since any bad HELO people were prolific enough to make the list.)
  • 219.238.168.124 reappears from last week and many weeks before that. Perhaps someday datadragon.net (I think) will actually have working reverse DNS, and not be SBL39201, and thus the ability to talk to our SMTP server.

Connection time rejection stats:

  33348 total
  16907 dynamic IP
  11962 bad or no reverse DNS
   2989 class bl-cbl
    349 class bl-ordb
    164 class bl-dsbl
     88 class bl-sdul
     86 class bl-sbl
     74 class bl-njabl
     73 class bl-spews
     39 SKYLIST INC 69.56.0.0/18
     13 class bl-opm

Overall rejections are actually down from last week. I'm not sure what this means; zombies that retried a couple of times, but not enough to get past our greylisting into the actual rejections?

Out of the top 30 most rejected IP addresses, only three were rejected 100 times or more: 24.13.143.139 (140 times), 86.101.112.157 (126 times), and 24.199.5.170 (123 times). Sixteen of the top 30 are currently in the CBL, four are currently in bl.spamcop.net, and one, our friend 219.238.168.124, is in the SBL.

The Hotmail numbers:

  • 14 messages accepted, again mostly from one real user.
  • 4 messages rejected because they came from non-Hotmail email addresses.
  • no messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 3 messages refused due to their origin IP address (two in the CBL, one in SBL20693).

These are quite good numbers. Better yet Hotmail seems to have stopped letting spammers use @sympatico.ca email addresses, which is good news for Sympatico customers.

And finally, one last set of stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 872 79 655 66
Bad bounces 91 66 98 81

We're basically in a holding pattern on these; I think it's hit the background noise level.

Written on 09 April 2006.
« Apple joins the webmail hall of shame
The fun and charm of quoting URLs properly »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Apr 9 02:27:32 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.