Weekly spam summary on July 8th, 2006
This week, we:
- got 13,932 messages from 204 different IP addresses.
- handled 17,417 sessions from 865 different IP addresses.
- received 161,727 connections from at least 52,444 different IP addresses.
- hit a highwater of 50 connections being checked at once (hit on Friday).
This is about the same as last week, allowing for random variation. The per day table is mostly but not entirely flat, so I'm going to include it:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206/11 9919 485K 220.127.116.11/10 7007 367K 18.104.22.168 6328 329K 22.214.171.124 5037 235K 126.96.36.199 4932 237K 188.8.131.52 4189 201K 184.108.40.206 4155 201K 220.127.116.11/24 4030 203K 18.104.22.168 3774 181K 22.214.171.124/11 3680 182K
Volume is down from last week, only partly because the two big point sources went away, and this week the top two spots are claimed by Chinese netblocks instead of individual IP addresses.
- 126.96.36.199 returns from last week, still with a bad
- 188.8.131.52 and 184.108.40.206 also have bad
- 220.127.116.11 was listed in the NJABL (but no longer is).
- 18.104.22.168, a very active hkcable.com.hk cablemodem, returns from last week.
- 22.214.171.124 is listed in the SORBS DUL list (and is currently in
Connection time rejection stats:
55159 total 29576 dynamic IP 21628 bad or no reverse DNS 2631 class bl-cbl 230 class bl-njabl 154 class bl-sdul 135 class bl-spews 124 class bl-sbl 87 class bl-dsbl 10 class bl-ordb
This is a striking jump up from last week for only a relatively moderate increase in overall connection volume. I suspect that spammers may be having their zombies get more persistent to overcome greylisting; oh well, very little lasts forever in the antispam world.
All 30 of the 30 most rejected IP addresses were rejected more than a
hundred times; the champion is 126.96.36.199, with 1247 rejections,
and with this latest episode it's now earned a permanent place in our
kernel IP filters. 27 of the 30 are currently in the CBL, and six are
Hotmail had a so-so week, and I've discovered that some of my past stats around the start of each month may have been inaccurate. This week's numbers:
- no messages accepted.
- 4 messages rejected because they came from non-Hotmail email addresses.
- 14 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address.
That's a lot of mail to our spamtraps, and I'm not too happy about it. Hotmail may be stopping spammers relatively fast, but it's clearly letting them send some spam to start with.
And the closing numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Both of these are up significantly from last week, and I suspect
that it's the same root cause: spammers are forging us on their spam
more actively. There is no single source of bad
HELOs that stands
out a lot (the winner is 188.8.131.52 aka 'pascor01.Pascor.local',
but with only 85 rejections).
This week sees a new 38-character hex digit appear in the bad bounces,
8B407639D45C5742ADD3987F7E013C41178B66. Apart from that, there's
a lot more variety this week, with 54 different usernames ranging
from long-dead accounts to plausible accounts to random alphanumeric
sequences like '
zfqbxbgm330'; the random alphanumerics are the
predominant group. Interesting, the only all-digit username this week