Weekly spam summary on April 29th, 2006
This week's statistics are distorted by a Wednesday noon system reboot that had the effect of resetting some of them. Having said, that, this week we:
- got 11,083 messages from 230 different IP addresses.
- handled 15,463 sessions from 840 different IP addresses.
- received 88,321 connections from at least 28,538 different IP addresses since Wednesday noon.
- hit a highwater of 38 connections being checked at once, since Wednesday noon.
To the extent that I can tell, this looks like it's somewhat down from last week. It looks like total connection volume would have been around 130,000 or so this week if the reboot hadn't happened. Obviously the per-day table is completely useless this week.
Kernel level packet filtering top ten, since Wednesday noon:
Host/Mask Packets Bytes 220.127.116.11 6999 420K 18.104.22.168 5149 275K 22.214.171.124/24 2601 130K 126.96.36.199/24 1734 87880 188.8.131.52 1642 78816 184.108.40.206 1563 93780 220.127.116.11/13 1359 66340 18.104.22.168 1312 83968 22.214.171.124/10 1312 65480 126.96.36.199 1281 65164
This looks a lot like last week in terms of the numbers, which is probably bad because last week's numbers were atypically low.
- 188.8.131.52 used a bad
HELOname a lot.
- 184.108.40.206 is a University of Toronto machine that has a bad
HELO, which neatly points out a bug in my support scripts; I'm supposed to exclude all of our own machines from getting added to the kernel IP blocks.
- 220.127.116.11 is a Verizon DSL 'dialup' machine.
- 18.104.22.168 is in NJABL.
- 22.214.171.124 is a
mail.o2.co.ukmachine that keeps trying to send us advance fee fraud spam from their webmail system.
- 126.96.36.199 is a bigpond.net.au cablemodem.
Connection time rejection stats:
47114 total 23796 dynamic IP 18622 bad or no reverse DNS 3008 class bl-cbl 348 class bl-dsbl 165 class bl-ordb 165 class bl-njabl 124 class bl-sdul 40 class bl-sbl 35 class bl-spews 2 class bl-opm
These are full-week stats; we've popped back to regular levels after
the whole CBL-first exercise of last week. Some people from
188.8.131.52/24 showed up again this week; we blocked them because
of tucksprofessionalservices.com, which
I see is still there at 184.108.40.206. The two IP addresses that
poked us are 220.127.116.11 (in
bl.spamcop.net right now) and
18.104.22.168 (which is listed in spam.dnsbl.sorbs.net for
sending mail to their spamtraps).
Hotmail mail volume is way down this week:
- no messages accepted.
- 1 message rejected because it came from a non-Hotmail email
address (again a
- 9 messages sent to our spamtraps.
- no messages refused because they'd already hit our spamtraps or because of their origin IP address.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This is down in the noise, especially considering that the top three
sources of bad
HELOs were 55% of the rejections all on their own.