Weekly spam summary on August 5th, 2006
This week, we:
- got 12,245 messages from 230 different IP addresses.
- handled 16,343 sessions from 801 different IP addresses.
- received 141,499 connections from at least 42,169 different IP addresses.
- hit a highwater of 7 connections being checked at once.
This is down slightly from last week. We will probably see variations in accepted messages all August, since this is both doldrums and panic time at universities. The per day figures:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11 14645 745K 18.104.22.168 6550 341K 22.214.171.124 5705 254K 126.96.36.199 3219 159K 188.8.131.52/11 2743 138K 184.108.40.206/24 2542 128K 220.127.116.11/10 2375 119K 18.104.22.168 2208 106K 22.214.171.124/11 2199 110K 126.96.36.199/12 2148 108K
The top is up a lot but the rest is down a bit from last week.
- 188.8.131.52 and 184.108.40.206 are APNIC IP addresses with no
reverse DNS; the former in Australia, the latter in Vietnam (and
- 220.127.116.11 (bad
HELO), 18.104.22.168 (bad reverse DNS), and 22.214.171.124 (bad
HELO) return from last week.
Connection time rejection stats:
34294 total 17031 dynamic IP 13730 bad or no reverse DNS 2243 class bl-cbl 251 class bl-njabl 190 class bl-sdul 105 class bl-sbl 102 class bl-ordb 97 class bl-spews 61 class bl-dsbl
Out of the 30 most rejected IP addresses, 3 were rejected more than
100 times; 126.96.36.199 (763 times, charter.com cablemodem, on the
CBL et al), 188.8.131.52 (195 times), and 184.108.40.206 (129 times,
Hong Kong with no reverse DNS, on the CBL et al). 16 of the top 30 are
currently in the CBL, and 8 are currently in
Hotmail has slightly improved from last week:
- no messages accepted.
- 6 messages rejected because they came from non-Hotmail email addresses.
- 11 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address.
As with last week, all of the 'non-Hotmail email addresses' are other Hotmail properties. While less suggestive than last week's, none of the usernames fill me with great joy and confidence that they are real people (or at least real people located somewhere besides a Nigerian cybercafe).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This week, there are no really outstanding sources of bad
(and, since I have looked, no really hysterically absurd ones either).
Bad bounce destinations are much like last week, and just like last week the spammer using the 38-character hex strings seems to have stayed gone. I have to confess I sort of miss them; they injected a certain dose of surreality into the proceedings.