Weekly spam summary on July 15th, 2006
This week, we:
- got 12,289 messages from 220 different IP addresses.
- handled 18,265 sessions from 954 different IP addresses.
- received 143,889 connections from at least 48,413 different IP addresses.
- hit a highwater of 14 connections being checked at once.
Session volume is up slightly from last week, but everything else is down. The per day table is relatively boring, so I'm omitting it this week.
Kernel level packet filtering top eleven:
Host/Mask Packets Bytes 22.214.171.124 16293 717K 126.96.36.199 12190 731K 188.8.131.52/11 7848 383K 184.108.40.206 7830 407K 220.127.116.11/10 4919 257K 18.104.22.168/24 4779 244K 22.214.171.124 4509 271K 126.96.36.199 4142 249K 188.8.131.52/11 3573 176K 184.108.40.206 3119 187K 220.127.116.11 3111 149K
The bottom of the top eleven is about the same volume as last week, but the top end is much higher.
- 18.104.22.168 kept trying to send email from an email address that had hit a spamtrap.
- 22.214.171.124 is a Hong Kong IP address with no reverse DNS, and is also in the CBL.
- 126.96.36.199 returns from last week, still with a bad
- 188.8.131.52 is a Czech IP address with no reverse DNS (and is in
- 184.108.40.206 is an aruba.it webmail machine; we now refuse all of them afte too much spam from aruba.it.
- 220.127.116.11 kept trying to send email from an email address that had
already hit a spamtrap, in this case '
- our old friend 18.104.22.168 from last week and before is at #11, just barely failing to make the top ten list, but I included it anyways.
I'm not too happy with 'city.localevents.com', as this is the second time they've hit our spamtraps with something (both times from 22.214.171.124). They may get banned entirely if this happens again.
Connection time rejection stats:
40160 total 18979 dynamic IP 16601 bad or no reverse DNS 2767 class bl-cbl 520 class bl-njabl 172 class bl-ordb 152 class bl-dsbl 133 class bl-sbl 127 class bl-sdul 40 class bl-spews
The top three are down significantly from last week, but the other numbers haven't budged much (the CBL rejections are even up slightly).
Eighteen of the top 30 most rejected IP addresses were rejected
more than 100 times, with 126.96.36.199 the winner at 307 rejections.
188.8.131.52 (245 rejections) and 184.108.40.206 (222 rejections)
collect second and third place. 20 of the top 30 are currently in
the CBL and 5 are currently in
Hotmail had a so-so week:
- 1 message accepted.
- 2 messages rejected because they came from non-Hotmail email addresses.
- 10 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address
As with last week, Hotmail continues to have spammers but they keep mailing our spamtraps instead of our real users. I suppose this is better than the alternative, and I have to admit that the volume stats are down a lot from the heights of the problem.
And the closing numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Leading contributors to the bad
HELOs are 220.127.116.11 (356
rejections), 18.104.22.168 (172), 22.214.171.124 (89), and
126.96.36.199 (83), but there's no really big point source for
Bad bounces went to a lot of usernames this week, most of them clearly
made up by spammers (mostly in a pattern of letters with a few digits
at the end). But the leading username for bounces was '
times), there were some bounces to long since dead accounts, one bounce
35', and two bounces to one of the 38-character hex strings and
one bounce to another one.
Those hex strings really make me wonder. Oh well, spammers are peculiar.