Weekly spam summary on April 22nd, 2006
This week's statistics are atypical, because in pursuit of better CBL statistics I moved our CBL check before all of our other connection time checks (including our greylisting) and pretty much stopped adding IP addresses to our kernel filters during the week.
Bearing that in mind, this week we:
- got 12,845 messages from 226 different IP addresses.
- handled 17,723 sessions from 788 different IP addresses.
- received 141,631 connections from at least 38,000 or so different IP addresses.
- hit a highwater of 50 connections being checked at once, hit today (this Saturday).
This is all up from last week, but not too much. The per day table is more or less flat, with a peak of 28,000 connections this Monday.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 8967 456K 188.8.131.52/24 5903 294K 184.108.40.206/24 5015 254K 220.127.116.11 3436 165K 18.104.22.168 3365 162K 22.214.171.124/10 3293 165K 126.96.36.199/11 2011 101K 188.8.131.52/11 1861 93084 184.108.40.206 1801 88876 220.127.116.11 1722 103K
Here we see the effects of pretty much not adding anything to the kernel filters all week. This leaves very few active individual IP addresses:
- 18.104.22.168 hit spamtraps (although not early enough to save some of our users) and then kept mailing and mailing.
- 22.214.171.124 and 126.96.36.199 are Korean IP addresses without working reverse DNS.
- 188.8.131.52 reappears from last week, still trying to send phish spam email.
- 184.108.40.206 is a
Connection time rejection stats:
79352 total 58949 class bl-cbl 8680 dynamic IP 8007 bad or no reverse DNS 2071 class bl-ordb 466 class bl-njabl 429 class bl-dsbl 67 class bl-sdul 39 class bl-sbl 30 class bl-spews 8 class bl-opm
Yes, you read that right; 75% of our rejections were due to CBL listings. This isn't too surprising; the last time I looked at the stats (although over a shorter period) it was actually higher. The popularity of the ORDB is probably because of not putting heavy rejection sources into the kernel filters; just four IP addresses accounted for 80% of the ORDB rejections.
This week was obviously the week of really active connection time rejection sources, since practically none of them got put into the kernel filters. Here's a little table of the top ten:
(The fourth ORDB IP address is 220.127.116.11, with 189 rejections; it's down at #24 on the top 30 most rejected IP addresses.)
The Hotmail stats are up a bit this week:
- 3 messages accepted.
- 1 message rejected because it came from non-Hotmail email
hotmail.fr; possibly I should fix that).
- 7 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (two from SBL37487 (oh look, our old friends Gilat-Satcom), and one from Ghana).
The final set of numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Bad bounces have dropped like a stone, although I'm not going to hold
my breath hoping that they stay there. The count of bad
HELOs is up a
bit, but that's not surprising because I didn't throw prolific sources
into the kernel level blocks this week like I usually do.
This week's really prolific bad
HELOs: 18.104.22.168 (184 times),
22.214.171.124 (145 times), 126.96.36.199 (138 times), and 188.8.131.52
(96 times). By contrast, last week the most prolific source only had 67