Weekly spam summary on April 15th, 2006
This week, we:
- got 12,120 messages from 254 different IP addresses.
- handled 17,527 sessions from 926 different IP addresses.
- received 119,314 connections from at least 38,574 different IP addresses.
- hit a highwater of 17 connections being checked at once.
Volume is way down from last week; in fact it's back to the level I consider fairly quiet (although this volume still has a lot of spam in it). The per day table is not too interesting, except that it shows that last week's Saturday was clearly just the tail off of the huge Friday spike:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124/24 19724 889K 126.96.36.199 5040 249K 188.8.131.52/24 4805 241K 184.108.40.206/10 4609 245K 220.127.116.11 4159 235K 18.104.22.168 3225 159K 22.214.171.124 2801 168K 126.96.36.199 2723 127K 188.8.131.52 2395 144K 184.108.40.206/11 2243 116K
This is a lot like last week, with the exception that
libero.it's mail servers in 220.127.116.11/24 seem to be trying very
hard to win some sort of dubious prize. (Based on spam I got on other
machines this week, I suspect it's mostly
- 18.104.22.168 and 22.214.171.124 repeatedly tried to send us 'phish' spam.
- 126.96.36.199 reappears from last week. It's still a rima-tde.net dialup-oid machine with a far too generic DNS name. This week it got itself into the SBL for being a phish source, as SBL40228.
- 188.8.131.52 is another generic dialup-oid rima-tde.net machine.
- 184.108.40.206 hasn't improved their DNS from the last time we saw them.
- 220.127.116.11 is a 'dialup' covad.net machine, with a generic DNS name.
Connection time rejection stats:
29379 total 13606 dynamic IP 12012 bad or no reverse DNS 2556 class bl-cbl 144 class bl-dsbl 134 class bl-sdul 127 class bl-ordb 101 class bl-sbl 50 class bl-njabl 43 class bl-spews 8 class bl-opm
Finally Skylist Inc hosted people have gotten the hint and gone away, although they were pretty quiet last week too. I'm a bit surprised that the 'dynamic IP' category has dropped significantly, almost level with bad/missing reverse DNS.
Out of the top 30 most rejected IP addresses, only one tried it more
than 100 times: 18.104.22.168, a
adsl.tpnet.pl machine, tried 141
times. Fifteen of the top 30 are currently in the CBL (including
22.214.171.124), eight are currently in
bl.spamcop.net, and one is
in the SBL (our friend 126.96.36.199, in SBL40228).
The Hotmail numbers are even better than last week, and I've read reports in NANAE from other people that have been seeing the same thing. At this rate I may have to drop this report because it's too boring. This week:
- 14 messages accepted, from a wide variety of addresses this time around because we had a system event that led to quite a few students emailing us.
- 2 messages rejected because they came from non-Hotmail email addresses.
- no messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one in the CBL, one from Gilat Satcom).
Of course, Hotmail's problems are not over, seeing as how one of the rejected emails was from a user called 'masmegamilottery9'. Um, Hotmail, are you paying attention here?
And the final set of numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I could be optimistic about a slight drop, but why bother? I'd just have to be gloomy next week (or the week after, or whenever).