Weekly spam summary on August 29th, 2006
The SMTP listener crashed and was restarted around Wednesday at 2am, so some of the statistics are short this week. That said, this week we:
- got 12,378 messages from 234 different IP addresses.
- handled 17,251 sessions from 822 different IP addresses.
- received 87,872 connections from at least 29,223 different IP addresses since Wednesday at 2am.
- hit a highwater of 6 connections being checked at once, since Wednesday at 2am.
It looks like we had around 140,000 connections this week in total, which is up from last week. The other volume stats are about the same.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206 18633 969K 220.127.116.11 7820 469K 18.104.22.168/11 5254 256K 22.214.171.124 4974 253K 126.96.36.199/10 4500 230K 188.8.131.52 3420 150K 184.108.40.206 2765 129K 220.127.116.11/11 2096 105K 18.104.22.168 2073 99504 22.214.171.124 2059 124K
- 126.96.36.199 is our poster spike baby, jumping into clear first place this week after only coming in second last week.
- 188.8.131.52 and 184.108.40.206 kept trying to send us stuff that had already hit our spamtraps.
- 220.127.116.11 had bad reverse DNS (it's also currently in SORBS).
- 18.104.22.168 is a Covad machine we consider to be a 'dialup',
seen before back in July. Evidence
suggests that it would have also been rejected for a bad
- 22.214.171.124 is a Wanadoo France dialup. The heat death of the universe will happen before we talk to them.
- 126.96.36.199 is smtp1.wanadoo.co.uk, and is in SPEWS as S703 because, surprise surprise, it is spewing advance fee fraud spam.
(You might suspect that I have a low opinion of all Wanadoo properties. You would be correct.)
Connection time rejection stats:
29928 total 14000 dynamic IP 12304 bad or no reverse DNS 1492 class bl-cbl 645 class bl-njabl 229 class bl-spews 211 class bl-sbl 205 class bl-sdul 173 class bl-ordb 114 class bl-dsbl
This is down somewhat from last week.
Six out of the top 30 most rejected IP addresses this week were rejected
100 times or more, with the champion being 188.8.131.52 (360 times).
16 of the top 30 are currently in the CBL, 11 are currently in
bl.spamcop.net, and two are in the SBL.
The SBL sources are the same as last week: 184.108.40.206 and 220.127.116.11, our friends 'Cutting Edge Media', SBL45150. Between the two of them they accounted for just over half of the SBL hits this week. Personally, I am hoping that they go away soon.
Hotmail is not making me any happier this week:
- 6 messages accepted, at least three of which were spam.
- 7 messages rejected because they came from non-Hotmail email addresses.
- 13 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 1 message refused due to its origin IP address being a SAIX/Telkom SA DSL line.
Next week will likely see a drastic reduction in the 'non-Hotmail email
addresses' category but an equivalent increase elsewhere, since I have
just decided to accept
hotmail.co.uk email from
Hotmail's mail servers. (I may regret this.)
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Unfortunately the biggest source of bad
HELO names this week was
a University of Toronto machine that I may need to hunt down and get
Bad bounces went to 23 different usernames this week, in the usual variety: some old ones, some vaguely plausible usernames, and some random alphanumeric jumbles.