Weekly spam summary on August 12th, 2006
This week, we:
- got 12,152 messages from 212 different IP addresses.
- handled 16,255 sessions from 790 different IP addresses.
- received 124,287 connections from at least 41,964 different IP addresses.
- hit a highwater of 6 connections being checked at once.
This is down from last week. I don't expect it to stay that way, although I can hope that spammers take August vacations too. Speaking of vacations, the per day table is interesting this week:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52 10466 516K 184.108.40.206 8151 424K 220.127.116.11 7544 372K 18.104.22.168 7294 322K 22.214.171.124/13 3555 171K 126.96.36.199 3374 167K 188.8.131.52 3193 149K 184.108.40.206/10 3079 154K 220.127.116.11/12 3037 154K 18.104.22.168 2688 161K
Although the high is lower, overall this is up from last week.
- 22.214.171.124 and 126.96.36.199 got blocked for hammering on us with stuff that had already hit spamtraps, probably phish spam.
- 188.8.131.52 (bad
HELO), 184.108.40.206 (bad reverse DNS), and 220.127.116.11 (bad reverse DNS) return from last week.
- 18.104.22.168 is an IP address in Panama without reverse DNS.
Connection time rejection stats:
31230 total 13988 bad or no reverse DNS 13858 dynamic IP 2242 class bl-cbl 204 class bl-njabl 147 class bl-sbl 141 class bl-sdul 95 class bl-dsbl 77 class bl-ordb 18 class bl-spews
I am starting to get curious about why the NJABL is such a consistent good performer for us. (Admittedly it is not by much compared to the CBL, but still.)
Only three out of the top 30 most rejected IP addresses were
refused more than 100 times this week; the winner is 22.214.171.124
(135 rejections, a Comcast cablemodem that is on a lot of DNSbls).
24 of the top 30 are currently in the CBL, 8 are currently in
bl.spamcop.net, and one is in the SBL.
The one in the SBL appears to be a genuine spammer: 126.96.36.199, 'Cutting Edge Media', SBL45150 (which lists the entire /24). It provided 61 of the SBL hits this week; the big other contributors are 188.8.131.52 (22 hits, SBL43698, caught scanning for vulnerable webforms that spammers exploit), 184.108.40.206 (13 hits, SBL41338, spam source), and 220.127.116.11 (11 hits, also Cutting Edge Media and SBL45150).
Hotmail slid right downhill this week:
- 1 message accepted, and it was almost certainly spam.
- 8 messages rejected because they came from non-Hotmail email addresses.
- 15 messages sent to our spamtraps.
- 4 messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one for being SBL42606, and 18.104.22.168 for being in the CBL (among other problems)).
I'm not impressed.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
And another week closes without any bounces trying to go to those mysterious 38-character hex strings.