Weekly spam summary on August 12th, 2006
This week, we:
- got 12,152 messages from 212 different IP addresses.
- handled 16,255 sessions from 790 different IP addresses.
- received 124,287 connections from at least 41,964 different IP addresses.
- hit a highwater of 6 connections being checked at once.
This is down from last week. I don't expect it to stay that way, although I can hope that spammers take August vacations too. Speaking of vacations, the per day table is interesting this week:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11 10466 516K 18.104.22.168 8151 424K 22.214.171.124 7544 372K 126.96.36.199 7294 322K 188.8.131.52/13 3555 171K 184.108.40.206 3374 167K 220.127.116.11 3193 149K 18.104.22.168/10 3079 154K 22.214.171.124/12 3037 154K 126.96.36.199 2688 161K
Although the high is lower, overall this is up from last week.
- 188.8.131.52 and 184.108.40.206 got blocked for hammering on us with stuff that had already hit spamtraps, probably phish spam.
- 220.127.116.11 (bad
HELO), 18.104.22.168 (bad reverse DNS), and 22.214.171.124 (bad reverse DNS) return from last week.
- 126.96.36.199 is an IP address in Panama without reverse DNS.
Connection time rejection stats:
31230 total 13988 bad or no reverse DNS 13858 dynamic IP 2242 class bl-cbl 204 class bl-njabl 147 class bl-sbl 141 class bl-sdul 95 class bl-dsbl 77 class bl-ordb 18 class bl-spews
I am starting to get curious about why the NJABL is such a consistent good performer for us. (Admittedly it is not by much compared to the CBL, but still.)
Only three out of the top 30 most rejected IP addresses were
refused more than 100 times this week; the winner is 188.8.131.52
(135 rejections, a Comcast cablemodem that is on a lot of DNSbls).
24 of the top 30 are currently in the CBL, 8 are currently in
bl.spamcop.net, and one is in the SBL.
The one in the SBL appears to be a genuine spammer: 184.108.40.206, 'Cutting Edge Media', SBL45150 (which lists the entire /24). It provided 61 of the SBL hits this week; the big other contributors are 220.127.116.11 (22 hits, SBL43698, caught scanning for vulnerable webforms that spammers exploit), 18.104.22.168 (13 hits, SBL41338, spam source), and 22.214.171.124 (11 hits, also Cutting Edge Media and SBL45150).
Hotmail slid right downhill this week:
- 1 message accepted, and it was almost certainly spam.
- 8 messages rejected because they came from non-Hotmail email addresses.
- 15 messages sent to our spamtraps.
- 4 messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one for being SBL42606, and 126.96.36.199 for being in the CBL (among other problems)).
I'm not impressed.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
And another week closes without any bounces trying to go to those mysterious 38-character hex strings.