Weekly spam summary on September 16th, 2006
The SMTP frontend keeled over and was restarted around 6am on Tuesday morning, so some of the statistics are from then. Given that, this week we:
- got 15,257 messages from 210 different IP addresses.
- handled 17,165 sessions from 837 different IP addresses.
- received 101,830 connections from at least 26,869 different IP addresses since Tuesday at 6am.
- hit a highwater of 7 connections being checked at once since Tuesday at 6am.
It looks like the total connection count for this week is about 140,000 or so, which would make the total volume slightly down from last week. The per day stats don't make for a useful table, but look about flat.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168 45463 2364K 22.214.171.124 10886 653K 126.96.36.199 6575 395K 188.8.131.52 5616 337K 184.108.40.206 5221 261K 220.127.116.11/11 4451 217K 18.104.22.168/10 3223 163K 22.214.171.124/24 2664 120K 126.96.36.199 2385 124K 188.8.131.52 2262 109K
Apart from the one major outlier, the volume here is pretty similar to last week.
- 184.108.40.206, mailhost.terra.es,
HELO'ing as the nonexistent and nonsensical hostname 'ctsmtpout1.frontal.correo', reappears from last week in a huge way. It has now earned a place in our permanent blocks.
- 220.127.116.11 and 18.104.22.168 also got blocked for repeated bad
- 22.214.171.124 was blocked because it kept trying to send us
stuff that had hit our spamtraps, in particular email with a
MAIL FROMpointing to the domain 'opinionplus.ca'.
- 126.96.36.199 was blocked for being in the CBL, but an inspection of
its hostname shows that it's a dynamic telecomitalia.it address
(and is listed in
dialups.visi.com, a DNSbl I may need to consider using).
- 188.8.131.52 and 184.108.40.206 were also blocked for hitting spamtraps and keeping on sending. The presence of 220.127.116.11 is especially impressive because it only started hitting us yesterday (Friday).
Connection time rejection stats:
27768 total 13469 dynamic IP 11422 bad or no reverse DNS 1403 class bl-cbl 395 class bl-dsbl 221 class bl-sdul 192 class bl-njabl 146 class bl-sbl 145 class bl-ordb 34 class bl-spews
Five out of the top 30 most rejected IP addresses were rejected 100
times or more, with this week's champion being 18.104.22.168 (417
times, rejected for being a PacBell ADSL line). 19 of the top 30
are currently in the CBL, 8 are currently in
one, our friend 22.214.171.124 from Cutting Edge Media, is in
This ongoing persistence from Cutting Edge Media has now earned them a permanent personal block. (I'm tempted to make it a kernel level block, but I'm refraining for now.)
The Hotmail stats got worse from last week:
- 4 messages accepted, at least one of which was legitimate.
- 2 messages rejected because they came from non-Hotmail email addresses, both times from msn.com users.
- 40 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 1 messages refused due to its origin IP address being in SBL27471.
I remain unimpressed with Hotmail, not that this is exactly news.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
My biggest reaction is that this is a pleasant decline from last week, although I'm not going to hold my breath for the trend to continue. Bounces to 38-character hex string login names have gone back into hiding, to my vague regret; one treasures even one's head-scratching peculiar spam mysteries.