Weekly spam summary on April 8th, 2006
This week, we:
- got 12,551 messages from 234 different IP addresses.
- handled 17,960 sessions from 979 different IP addresses.
- received 444,512 connections from at least 44,262 different IP addresses.
- hit a highwater of 50 connections being checked at once; 50 is the maximum number allowed.
Mail received and SMTP session volume is down a bit from last week, but connection volume has spiked to huge levels. The per day chart tells the story:
Day | Connections | different IPs |
Sunday | 20,811 | +8,243 |
Monday | 21,976 | +7,866 |
Tuesday | 29,198 | +7,812 |
Wednesday | 25,040 | +5,678 |
Thursday | 15,302 | +4,392 |
Friday | 236,135 | +3,933 |
Saturday | 96,050 | +6,338 |
All I can say is yow. On Friday we had more connections than we usually have all week, and it's still going on today. Interestingly, the simultaneous connections highwater was hit Saturday, not Friday. (I don't have any explanation for the dip on Thursday; as usual, I could do with a program guide to the spammer show.)
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 212.216.176.0/24 7552 374K 80.25.131.71 5182 293K 61.128.0.0/10 4314 219K 222.146.0.16 4261 210K 219.128.0.0/12 3612 176K 70.169.83.133 3013 145K 61.12.9.179 2928 149K 128.121.94.43 2638 130K 212.159.54.204 2278 116K 219.238.168.124 2271 109K
Overall this is actually down from last week. The specific IPs:
- 80.25.131.71 is a rima-tde.net IP that we put into the 'dialup' class because its hostname looks too generic.
- 222.146.0.16 and 128.121.94.43 both dinged us with apparent phish spam and then kept going (and going and going) once we blocked them.
- 70.169.83.133 is a Cox cablemodem or something.
- 61.12.9.179 is an Indian IP address with no reverse DNS.
- 212.159.54.204 sent too many bad
HELO
names our way. (It's been a while since any badHELO
people were prolific enough to make the list.) - 219.238.168.124 reappears from last week and many weeks before that. Perhaps someday datadragon.net (I think) will actually have working reverse DNS, and not be SBL39201, and thus the ability to talk to our SMTP server.
Connection time rejection stats:
33348 total 16907 dynamic IP 11962 bad or no reverse DNS 2989 class bl-cbl 349 class bl-ordb 164 class bl-dsbl 88 class bl-sdul 86 class bl-sbl 74 class bl-njabl 73 class bl-spews 39 SKYLIST INC 69.56.0.0/18 13 class bl-opm
Overall rejections are actually down from last week. I'm not sure what this means; zombies that retried a couple of times, but not enough to get past our greylisting into the actual rejections?
Out of the top 30 most rejected IP addresses, only three were
rejected 100 times or more: 24.13.143.139 (140 times), 86.101.112.157
(126 times), and 24.199.5.170 (123 times). Sixteen of the top 30
are currently in the CBL, four are currently in bl.spamcop.net
,
and one, our friend 219.238.168.124, is in the SBL.
The Hotmail numbers:
- 14 messages accepted, again mostly from one real user.
- 4 messages rejected because they came from non-Hotmail email addresses.
- no messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (two in the CBL, one in SBL20693).
These are quite good numbers. Better yet Hotmail seems to have stopped letting spammers use @sympatico.ca email addresses, which is good news for Sympatico customers.
And finally, one last set of stats:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
872 | 79 | 655 | 66 |
Bad bounces | 91 | 66 | 98 | 81 |
We're basically in a holding pattern on these; I think it's hit the background noise level.
|
|