Weekly spam summary on September 2nd, 2006
Our SMTP frontend survived all this week without problems, which was something of an accomplishment this week. Because this week, we:
- got 13,546 messages from 227 different IP addresses.
- handled 19,984 sessions from 1,283 different IP addresses.
- received 1,419,542 connections from at least 52,806 different IP addresses.
- hit a highwater of 9 connections being checked at once.
Yes, that is not a typo; this week we had a lot of SMTP connections, although none of the other numbers are up much compared to last week. It's not a continuation of the spam storm from last Saturday either, as the per-day numbers show:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11 10704 557K 18.104.22.168 4490 216K 22.214.171.124/10 3609 190K 126.96.36.199/11 2976 145K 188.8.131.52 2405 144K 184.108.40.206/24 2367 119K 220.127.116.11/12 2330 116K 18.104.22.168/13 2226 107K 22.214.171.124 2215 106K 126.96.36.199 2114 127K
The overall volume is down from last week, with only one entry really sticking out.
- 188.8.131.52 returns from last week and many prior weeks.
- 184.108.40.206, 220.127.116.11, and 18.104.22.168 had bad
- 22.214.171.124 is '
mailout45.inetekk.com'. We have had prior dealings with inetekk that make us disinclined to ever accept email from them again.
Connection time rejection stats:
38665 total 18228 dynamic IP 15060 bad or no reverse DNS 2176 class bl-cbl 1381 class bl-sbl 547 class bl-dsbl 280 class bl-njabl 251 class bl-sdul 159 class bl-spews 84 class bl-ordb
Oddly, despite the huge connection volume there is no real growth in these stats compared to last week. I don't have any explanation for this.
Six of the top 30 most rejected IP addresses were rejected 100 times
or more, with the leader being 126.96.36.199 (197 times, rejected for
having no reverse DNS). 15 of the top 30 are currently in the CBL,
six are currently in
bl.spamcop.net, and two are in the SBL.
Somewhat to my surprise only one of those two is our non-friends at Cutting Edge Media (this week reporting in from 188.8.131.52). The other is 184.108.40.206, which is part of SBL21128, which is a /23 listing that is (to quote the listing) '419 scam sources in Senegal'. For extra displeasure, this listing was created November 14th, 2004.
Hotmail's stats this week are an improvement over last week:
- 1 message accepted.
- 1 message rejected because it came from a non-Hotmail email address; it was pretty certain to have been advance fee fraud spam.
- 25 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one for being in the CBL, one for being from Cote d'Ivoire).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
There were four people who sent 100 or more bad
HELOs before being
blocked, but the volume seems to be more or less fairly distributed;
there are no single runaway sources.
The most popular bad username to send stuff to continues to be
noreply', which perhaps shouldn't be surprising. In aggregate,
the most popular bounce destination is random alphabetic strings,
each one used only one time.