Weekly spam summary on May 27th, 2006
This week, we:
- got 11,513 messages from 227 different IP addresses.
- handled 18,277 sessions from 912 different IP addresses.
- received 133,583 connections from at least 42,540 different IP addresses.
- hit a highwater of 8 connections being checked at once.
This is about the same as last week. Tuesday, Wednesday, and Thursday were the busiest days this week for connections; I suppose that's not too surprising. (Interesting, email received peaked on Tuesday but connections peaked on Wednesday.)
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52 9190 441K 184.108.40.206 8320 423K 220.127.116.11 8173 403K 18.104.22.168 7246 357K 22.214.171.124 5729 283K 126.96.36.199 4480 215K 188.8.131.52/10 4443 221K 184.108.40.206 4321 259K 220.127.116.11/24 3905 234K 18.104.22.168 3768 241K
Overall this is significantly up from last week, although the leader is lower this time around; maybe they've finally given up hammering on us after several weeks.
- 22.214.171.124 and 126.96.36.199 return from last week; the former is now on the CBL, among other places.
- 188.8.131.52, 184.108.40.206, and 220.127.116.11 all tried to
shovel phish spam at us to an extent that we blocked them. Since
all of them used the same
MAIL FROMof 'firstname.lastname@example.org', they may all be being exploited by the same spammer.
- 18.104.22.168 is in NJABL.
- 22.214.171.124 is a poczta.onet.pl mail sending machine; we have blocked all of poczta.onet.pl here due to advance fee fraud spam email.
- 126.96.36.199 is in SPEWS as part of a Rostelecom listing.
Connection time rejection stats:
37733 total 17223 bad or no reverse DNS 15812 dynamic IP 2497 class bl-cbl 560 class bl-njabl 493 class bl-dsbl 235 class bl-sdul 146 class bl-spews 79 class bl-ordb 72 class bl-sbl
Fourteen out of the top 30 most rejected IP addresses were rejected
more than 100 times; the champion is of course 188.8.131.52 (622 times
before it wound up back in the kernel IP filters), with 184.108.40.206
next (265 times, for not having any reverse DNS and being in a pile of
DNSBls). 19 of the top 30 are currently in the
CBS, and seven are currently in
Hotmail has probably improved compared to last week; the numbers are:
- 2 messages accepted.
- 3 messages rejected because they came from non-Hotmail email addresses.
- 5 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address being in the CBL.
This is less overall spam than last week, but a more diverse set of reasons for it being rejected.
And the last set of numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Unlike last week, there's nothing from btconnect.com; either they've stopped mailing us for now or they've fixed the problem (I know which option I'm betting on).
The most frequent target of bad bounces was the 38-digit hex string from
before, at 5 bounces (all from Demon Internet
machines). Apart from that it was almost all to usernames here that used
to exist, apart from one to
costauvqaagmlp and one to