Weekly spam summary on June 3rd, 2006
This week, we:
- got 11,560 messages from 225 different IP addresses.
- handled 16,969 sessions from 1005 different IP addresses.
- received 135,139 connections from at least 46,180 different IP addresses.
- hit a highwater of 12 connections being checked at once.
Apart from slightly higher numbers of IP addresses talking to us this week, this is a clone of last week's numbers. Since the per day volume fluctuated, I'll include the table this week:
Day | Connections | different IPs |
Sunday | 14,968 | +6,360 |
Monday | 22,460 | +6,890 |
Tuesday | 20,133 | +6,642 |
Wednesday | 21,142 | +7,553 |
Thursday | 17,879 | +5,624 |
Friday | 20,882 | +7,370 |
Saturday | 17,675 | +5,741 |
This isn't a major fluctuation as those go; clearly things are a bit random. (Perhaps one day I will add deliveries by day to this table, although it's harder to construct.)
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 65.126.217.71 17288 879K 218.254.83.47 7490 360K 66.58.176.187 5555 283K 198.187.200.0/24 5080 305K 61.128.0.0/10 4282 214K 218.0.0.0/11 4014 200K 212.216.176.0/24 3588 183K 220.160.0.0/11 3413 171K 213.177.135.32 2800 134K 63.252.170.25 2629 123K
Overall this seems quieter than last week, although there's one obvious huge exception.
- 65.126.217.71 is a QWEST IP address that kept
HELO
'ing as 'yinyang', with no domain name or anything. Declined. - 218.254.83.47 and 66.58.176.187 return from last week, evidently still not done yet.
- 213.177.135.32 and 63.252.170.25 are CBL-listed and gave us bad
HELO
names on top of it.
198.187.200.0/24 is an outdated and now erroneous listing I just noticed now. Whoops. (See, there's more than one reason for me to do these summaries. Finding such outdated listings is one of those generic problems, partly because I never built an infrastructure to manage it all when I set these things up.)
Connection time rejection stats:
44525 total 21085 bad or no reverse DNS 19378 dynamic IP 2400 class bl-cbl 322 class bl-sdul 233 class bl-dsbl 153 class bl-spews 142 class bl-sbl 131 class bl-njabl 68 class bl-ordb
Rejections are up on last week, and more than I'd expect from
the slight overall traffic growth. 24 of the top 30 most rejected
IP addresses had more than 100 rejections, with the champion being
64.191.63.117 (382 times); our friend 218.254.83.47 is the runner up
with 379 rejections. 24 of the top 30 are currently in the CBL and 10
are currently in bl.spamcop.net
.
Hotmail stats are low but not groovy:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 10 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- 1 message refused due to its origin IP address being part of Gilat-Satcom.
Meanwhile Yahoo continues to slap us with the spam trout, although I have yet to write a script to generate numbers for how badly.
The last set of numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
288 | 69 | 462 | 64 |
Bad bounces | 27 | 23 | 18 | 16 |
Once again there were several bounces to our friend the 38-digit
hex string, plus to a number of real (ex) usernames, plus random
ones. The new pattern this week is bounces to all-digit usernames
of various lengths, ranging from 03
to 41291175
.
|
|