Weekly spam summary on September 9th, 2006

September 10, 2006

This week, we:

  • got 15,100 messages from 230 different IP addresses.
  • handled 18,312 sessions from 982 different IP addresses.
  • received 156,592 connections from at least 49,202 different IP addresses.
  • hit a highwater of 36 connections being checked at once, set on Saturday (today).

Message volume is up from last week, but I'm not too surprised; this is the start of classes and thus the time when all sorts of things come out of the woodwork and need to be emailed about. The per-day breakdown:

Day Connections different IPs
Sunday 20,556 +7,236
Monday 24,913 +8,452
Tuesday 24,521 +7,693
Wednesday 25,250 +7,693
Thursday 22,355 +6,929
Friday 21,720 +6,690
Saturday 17,277 +4,509

I suppose I shouldn't be surprised that the whatever-it-is traffic didn't take Labour Day off.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          18567    965K
193.70.192.0/24       11572    522K
218.0.0.0/11           4542    221K
61.128.0.0/10          3442    173K
209.94.172.156         2723    145K
195.39.69.48           2670    160K
200.254.87.131         2669    128K
63.204.205.50          2008    120K
221.6.101.22           1972    118K
212.175.13.129         1957    117K

Overall volume is both up (at the high end) and down (at the low end) from last week.

  • 213.4.149.12 and 212.175.13.129 both return from last week, still with bad HELO greetings.
  • 209.94.172.156 kept trying to send spam after tripping our traps.
  • 195.39.69.48 returns from August, blocked due to having no reverse DNS.
  • 200.254.87.131 and 221.6.101.22 also have no reverse DNS.
  • 63.204.205.50 is a frys.com machine. Although I suspect that it is trying to send us a backscatter bounce, it got blocked due to the behavior exhibited here.

Connection time rejection stats:

  33545 total
  16606 dynamic IP
  13517 bad or no reverse DNS
   2131 class bl-cbl
    249 class bl-njabl
    185 class bl-sbl
    166 class bl-dsbl
    131 class bl-sdul
     75 class bl-ordb
     46 class bl-spews

I have more or less given up peering into my crystal ball about the week to week connection time rejection stats unless something big changes. (Ironically, I missed the big change last week, which was the jump in the SBL's rejection rate to just behind the CBL.)

Seven of the top 30 most rejected IP addresses were rejected 100 times or more, with the champion being 200.254.87.131 (215 times), with 87.6.134.240 (210 times, an Interbusiness IP address that is also on the CBL et al).

22 of the top 30 most rejected IP addresses are currently in the CBL, 8 are currently in bl.spamcop.net, and 2 are currently in the SBL; both are 'Cutting Edge Media' IP addresses. Apparently those people just don't give up.

Hotmail stats this week are a bit better than last week, but worse on a personal level:

  • 2 messages accepted, both spam sent to me.
  • No messages rejected because they came from non-Hotmail email addresses.
  • 21 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • No messages refused due to their origin IP address

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 593 80 2258 140
Bad bounces 101 91 263 233

Apart from the welcome reduction in these numbers, this week is pretty much the same as last week. The bad bounces did see the return of one of the 38-character hex digit login names as a destination, which makes me obscurely happy, much like Ursula Vernon spotting a botfly-infected squirrel.

Written on 10 September 2006.
« Something I really wish vendor product pages did
A thought on iTunes and similar online services »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Sep 10 01:16:29 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.