Weekly spam summary on August 29th, 2006
The SMTP listener crashed and was restarted around Wednesday at 2am, so some of the statistics are short this week. That said, this week we:
- got 12,378 messages from 234 different IP addresses.
- handled 17,251 sessions from 822 different IP addresses.
- received 87,872 connections from at least 29,223 different IP addresses since Wednesday at 2am.
- hit a highwater of 6 connections being checked at once, since Wednesday at 2am.
It looks like we had around 140,000 connections this week in total, which is up from last week. The other volume stats are about the same.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11 18633 969K 18.104.22.168 7820 469K 22.214.171.124/11 5254 256K 126.96.36.199 4974 253K 188.8.131.52/10 4500 230K 184.108.40.206 3420 150K 220.127.116.11 2765 129K 18.104.22.168/11 2096 105K 22.214.171.124 2073 99504 126.96.36.199 2059 124K
- 188.8.131.52 is our poster spike baby, jumping into clear first place this week after only coming in second last week.
- 184.108.40.206 and 220.127.116.11 kept trying to send us stuff that had already hit our spamtraps.
- 18.104.22.168 had bad reverse DNS (it's also currently in SORBS).
- 22.214.171.124 is a Covad machine we consider to be a 'dialup',
seen before back in July. Evidence
suggests that it would have also been rejected for a bad
- 126.96.36.199 is a Wanadoo France dialup. The heat death of the universe will happen before we talk to them.
- 188.8.131.52 is smtp1.wanadoo.co.uk, and is in SPEWS as S703 because, surprise surprise, it is spewing advance fee fraud spam.
(You might suspect that I have a low opinion of all Wanadoo properties. You would be correct.)
Connection time rejection stats:
29928 total 14000 dynamic IP 12304 bad or no reverse DNS 1492 class bl-cbl 645 class bl-njabl 229 class bl-spews 211 class bl-sbl 205 class bl-sdul 173 class bl-ordb 114 class bl-dsbl
This is down somewhat from last week.
Six out of the top 30 most rejected IP addresses this week were rejected
100 times or more, with the champion being 184.108.40.206 (360 times).
16 of the top 30 are currently in the CBL, 11 are currently in
bl.spamcop.net, and two are in the SBL.
The SBL sources are the same as last week: 220.127.116.11 and 18.104.22.168, our friends 'Cutting Edge Media', SBL45150. Between the two of them they accounted for just over half of the SBL hits this week. Personally, I am hoping that they go away soon.
Hotmail is not making me any happier this week:
- 6 messages accepted, at least three of which were spam.
- 7 messages rejected because they came from non-Hotmail email addresses.
- 13 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 1 message refused due to its origin IP address being a SAIX/Telkom SA DSL line.
Next week will likely see a drastic reduction in the 'non-Hotmail email
addresses' category but an equivalent increase elsewhere, since I have
just decided to accept
hotmail.co.uk email from
Hotmail's mail servers. (I may regret this.)
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Unfortunately the biggest source of bad
HELO names this week was
a University of Toronto machine that I may need to hunt down and get
Bad bounces went to 23 different usernames this week, in the usual variety: some old ones, some vaguely plausible usernames, and some random alphanumeric jumbles.