Weekly spam summary on July 15th, 2006
This week, we:
- got 12,289 messages from 220 different IP addresses.
- handled 18,265 sessions from 954 different IP addresses.
- received 143,889 connections from at least 48,413 different IP addresses.
- hit a highwater of 14 connections being checked at once.
Session volume is up slightly from last week, but everything else is down. The per day table is relatively boring, so I'm omitting it this week.
Kernel level packet filtering top eleven:
Host/Mask Packets Bytes 209.216.205.162 16293 717K 210.245.161.90 12190 731K 218.0.0.0/11 7848 383K 213.4.149.12 7830 407K 61.128.0.0/10 4919 257K 212.216.176.0/24 4779 244K 195.39.69.48 4509 271K 62.149.158.91 4142 249K 220.160.0.0/11 3573 176K 66.193.15.20 3119 187K 218.254.82.97 3111 149K
The bottom of the top eleven is about the same volume as last week, but the top end is much higher.
- 209.216.205.162 kept trying to send email from an email address that had hit a spamtrap.
- 210.245.161.90 is a Hong Kong IP address with no reverse DNS, and is also in the CBL.
- 213.4.149.12 returns from last week, still with a bad
HELO
. - 195.39.69.48 is a Czech IP address with no reverse DNS (and is in
spam.dnsbl.sorbs.net
). - 62.149.158.91 is an aruba.it webmail machine; we now refuse all of them afte too much spam from aruba.it.
- 66.193.15.20 kept trying to send email from an email address that had
already hit a spamtrap, in this case '
women@city.localevents.com
'. - our old friend 218.254.82.97 from last week and before is at #11, just barely failing to make the top ten list, but I included it anyways.
I'm not too happy with 'city.localevents.com', as this is the second time they've hit our spamtraps with something (both times from 66.193.15.20). They may get banned entirely if this happens again.
Connection time rejection stats:
40160 total 18979 dynamic IP 16601 bad or no reverse DNS 2767 class bl-cbl 520 class bl-njabl 172 class bl-ordb 152 class bl-dsbl 133 class bl-sbl 127 class bl-sdul 40 class bl-spews
The top three are down significantly from last week, but the other numbers haven't budged much (the CBL rejections are even up slightly).
Eighteen of the top 30 most rejected IP addresses were rejected
more than 100 times, with 84.229.4.87 the winner at 307 rejections.
203.197.246.51 (245 rejections) and 82.232.29.56 (222 rejections)
collect second and third place. 20 of the top 30 are currently in
the CBL and 5 are currently in bl.spamcop.net
.
Hotmail had a so-so week:
- 1 message accepted.
- 2 messages rejected because they came from non-Hotmail email addresses.
- 10 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address
As with last week, Hotmail continues to have spammers but they keep mailing our spamtraps instead of our real users. I suppose this is better than the alternative, and I have to admit that the volume stats are down a lot from the heights of the problem.
And the closing numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
1422 | 70 | 608 | 56 |
Bad bounces | 127 | 108 | 88 | 62 |
Leading contributors to the bad HELO
s are 209.97.195.183 (356
rejections), 212.122.235.35 (172), 62.42.227.11 (89), and
212.150.140.50 (83), but there's no really big point source for
the big HELO
jump.
Bad bounces went to a lot of usernames this week, most of them clearly
made up by spammers (mostly in a pattern of letters with a few digits
at the end). But the leading username for bounces was 'books
' (12
times), there were some bounces to long since dead accounts, one bounce
to '35
', and two bounces to one of the 38-character hex strings and
one bounce to another one.
Those hex strings really make me wonder. Oh well, spammers are peculiar.
|
|