Weekly spam summary on September 9th, 2006
This week, we:
- got 15,100 messages from 230 different IP addresses.
- handled 18,312 sessions from 982 different IP addresses.
- received 156,592 connections from at least 49,202 different IP addresses.
- hit a highwater of 36 connections being checked at once, set on Saturday (today).
Message volume is up from last week, but I'm not too surprised; this is the start of classes and thus the time when all sorts of things come out of the woodwork and need to be emailed about. The per-day breakdown:
I suppose I shouldn't be surprised that the whatever-it-is traffic didn't take Labour Day off.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11 18567 965K 18.104.22.168/24 11572 522K 22.214.171.124/11 4542 221K 126.96.36.199/10 3442 173K 188.8.131.52 2723 145K 184.108.40.206 2670 160K 220.127.116.11 2669 128K 18.104.22.168 2008 120K 22.214.171.124 1972 118K 126.96.36.199 1957 117K
Overall volume is both up (at the high end) and down (at the low end) from last week.
- 188.8.131.52 and 184.108.40.206 both return from last week,
still with bad
- 220.127.116.11 kept trying to send spam after tripping our traps.
- 18.104.22.168 returns from August, blocked due to having no reverse DNS.
- 22.214.171.124 and 126.96.36.199 also have no reverse DNS.
- 188.8.131.52 is a
frys.commachine. Although I suspect that it is trying to send us a backscatter bounce, it got blocked due to the behavior exhibited here.
Connection time rejection stats:
33545 total 16606 dynamic IP 13517 bad or no reverse DNS 2131 class bl-cbl 249 class bl-njabl 185 class bl-sbl 166 class bl-dsbl 131 class bl-sdul 75 class bl-ordb 46 class bl-spews
I have more or less given up peering into my crystal ball about the week to week connection time rejection stats unless something big changes. (Ironically, I missed the big change last week, which was the jump in the SBL's rejection rate to just behind the CBL.)
Seven of the top 30 most rejected IP addresses were rejected 100 times or more, with the champion being 184.108.40.206 (215 times), with 220.127.116.11 (210 times, an Interbusiness IP address that is also on the CBL et al).
22 of the top 30 most rejected IP addresses are currently in the
CBL, 8 are currently in
bl.spamcop.net, and 2 are currently in
the SBL; both are 'Cutting Edge Media' IP addresses. Apparently
those people just don't give up.
Hotmail stats this week are a bit better than last week, but worse on a personal level:
- 2 messages accepted, both spam sent to me.
- No messages rejected because they came from non-Hotmail email addresses.
- 21 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- No messages refused due to their origin IP address
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Apart from the welcome reduction in these numbers, this week is pretty much the same as last week. The bad bounces did see the return of one of the 38-character hex digit login names as a destination, which makes me obscurely happy, much like Ursula Vernon spotting a botfly-infected squirrel.