Weekly spam summary on July 15th, 2006
This week, we:
- got 12,289 messages from 220 different IP addresses.
- handled 18,265 sessions from 954 different IP addresses.
- received 143,889 connections from at least 48,413 different IP addresses.
- hit a highwater of 14 connections being checked at once.
Session volume is up slightly from last week, but everything else is down. The per day table is relatively boring, so I'm omitting it this week.
Kernel level packet filtering top eleven:
Host/Mask Packets Bytes 188.8.131.52 16293 717K 184.108.40.206 12190 731K 220.127.116.11/11 7848 383K 18.104.22.168 7830 407K 22.214.171.124/10 4919 257K 126.96.36.199/24 4779 244K 188.8.131.52 4509 271K 184.108.40.206 4142 249K 220.127.116.11/11 3573 176K 18.104.22.168 3119 187K 22.214.171.124 3111 149K
The bottom of the top eleven is about the same volume as last week, but the top end is much higher.
- 126.96.36.199 kept trying to send email from an email address that had hit a spamtrap.
- 188.8.131.52 is a Hong Kong IP address with no reverse DNS, and is also in the CBL.
- 184.108.40.206 returns from last week, still with a bad
- 220.127.116.11 is a Czech IP address with no reverse DNS (and is in
- 18.104.22.168 is an aruba.it webmail machine; we now refuse all of them afte too much spam from aruba.it.
- 22.214.171.124 kept trying to send email from an email address that had
already hit a spamtrap, in this case '
- our old friend 126.96.36.199 from last week and before is at #11, just barely failing to make the top ten list, but I included it anyways.
I'm not too happy with 'city.localevents.com', as this is the second time they've hit our spamtraps with something (both times from 188.8.131.52). They may get banned entirely if this happens again.
Connection time rejection stats:
40160 total 18979 dynamic IP 16601 bad or no reverse DNS 2767 class bl-cbl 520 class bl-njabl 172 class bl-ordb 152 class bl-dsbl 133 class bl-sbl 127 class bl-sdul 40 class bl-spews
The top three are down significantly from last week, but the other numbers haven't budged much (the CBL rejections are even up slightly).
Eighteen of the top 30 most rejected IP addresses were rejected
more than 100 times, with 184.108.40.206 the winner at 307 rejections.
220.127.116.11 (245 rejections) and 18.104.22.168 (222 rejections)
collect second and third place. 20 of the top 30 are currently in
the CBL and 5 are currently in
Hotmail had a so-so week:
- 1 message accepted.
- 2 messages rejected because they came from non-Hotmail email addresses.
- 10 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address
As with last week, Hotmail continues to have spammers but they keep mailing our spamtraps instead of our real users. I suppose this is better than the alternative, and I have to admit that the volume stats are down a lot from the heights of the problem.
And the closing numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Leading contributors to the bad
HELOs are 22.214.171.124 (356
rejections), 126.96.36.199 (172), 188.8.131.52 (89), and
184.108.40.206 (83), but there's no really big point source for
Bad bounces went to a lot of usernames this week, most of them clearly
made up by spammers (mostly in a pattern of letters with a few digits
at the end). But the leading username for bounces was '
times), there were some bounces to long since dead accounts, one bounce
35', and two bounces to one of the 38-character hex strings and
one bounce to another one.
Those hex strings really make me wonder. Oh well, spammers are peculiar.