Weekly spam summary on April 29th, 2006

April 30, 2006

This week's statistics are distorted by a Wednesday noon system reboot that had the effect of resetting some of them. Having said, that, this week we:

  • got 11,083 messages from 230 different IP addresses.
  • handled 15,463 sessions from 840 different IP addresses.
  • received 88,321 connections from at least 28,538 different IP addresses since Wednesday noon.
  • hit a highwater of 38 connections being checked at once, since Wednesday noon.

To the extent that I can tell, this looks like it's somewhat down from last week. It looks like total connection volume would have been around 130,000 or so this week if the reboot hadn't happened. Obviously the per-day table is completely useless this week.

Kernel level packet filtering top ten, since Wednesday noon:

Host/Mask           Packets   Bytes
85.15.204.205          6999    420K
142.150.228.9          5149    275K
212.216.176.0/24       2601    130K
202.43.219.0/24        1734   87880
71.101.115.35          1642   78816
212.71.30.86           1563   93780
221.216.0.0/13         1359   66340
193.113.160.15         1312   83968
61.128.0.0/10          1312   65480
141.168.4.98           1281   65164

This looks a lot like last week in terms of the numbers, which is probably bad because last week's numbers were atypically low.

  • 85.15.204.205 used a bad HELO name a lot.
  • 142.150.228.9 is a University of Toronto machine that has a bad HELO, which neatly points out a bug in my support scripts; I'm supposed to exclude all of our own machines from getting added to the kernel IP blocks.
  • 71.101.115.35 is a Verizon DSL 'dialup' machine.
  • 212.71.30.86 is in NJABL.
  • 193.113.160.15 is a mail.o2.co.uk machine that keeps trying to send us advance fee fraud spam from their webmail system.
  • 141.168.4.98 is a bigpond.net.au cablemodem.

Connection time rejection stats:

  47114 total
  23796 dynamic IP
  18622 bad or no reverse DNS
   3008 class bl-cbl
    348 class bl-dsbl
    165 class bl-ordb
    165 class bl-njabl
    124 class bl-sdul
     40 class bl-sbl
     35 class bl-spews
      2 class bl-opm

These are full-week stats; we've popped back to regular levels after the whole CBL-first exercise of last week. Some people from 65.109.239.0/24 showed up again this week; we blocked them because of tucksprofessionalservices.com, which I see is still there at 65.109.239.171. The two IP addresses that poked us are 65.109.239.110 (in bl.spamcop.net right now) and 65.109.239.194 (which is listed in spam.dnsbl.sorbs.net for sending mail to their spamtraps).

Hotmail mail volume is way down this week:

  • no messages accepted.
  • 1 message rejected because it came from a non-Hotmail email address (again a hotmail.fr address).
  • 9 messages sent to our spamtraps.
  • no messages refused because they'd already hit our spamtraps or because of their origin IP address.
what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 346 40 953 44
Bad bounces 29 23 21 16

This is down in the noise, especially considering that the top three sources of bad HELOs were 55% of the rejections all on their own.

Written on 30 April 2006.
« Another little script: field
Emergency repairs with GRUB »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Apr 30 02:52:10 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.