Weekly spam summary on September 30th, 2006
This week, we:
- got 15,751 messages from 307 different IP addresses.
- handled 19,911 sessions from 1,047 different IP addresses.
- received 154,477 connections from at least 38,870 different IP addresses.
- hit a highwater of 9 connections being checked at once.
This is all about the same level as last week, or at most down a little bit. Oddly, we show a bit of a volume jump towards the end of the week:
Day | Connections | different IPs |
Sunday | 18,432 | +4,543 |
Monday | 23,737 | +5,895 |
Tuesday | 21,888 | +5,077 |
Wednesday | 21,793 | +5,414 |
Thursday | 24,042 | +6,914 |
Friday | 25,216 | +6,556 |
Saturday | 19,369 | +4,471 |
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 213.4.149.12 56881 2958K 212.130.19.148 6818 347K 193.252.22.158 4744 285K 195.130.132.54 3380 203K 213.129.201.64 3189 153K 86.7.241.201 3188 153K 80.51.32.242 3132 188K 194.165.146.156 2988 143K 218.0.0.0/11 2897 141K 213.180.130.35 2742 165K
Apart from first place, this is about the same sort of volume as last week.
- 213.4.149.12 continues its stranglehold on first place from last week.
- 212.130.19.148, 193.252.22.158, and 80.51.32.242 also return from last week.
- 195.130.132.54 did the now-usual thing of trying to keep sending us stuff that had already hit our spamtraps.
- 213.129.201.64 reappears from August,
still with a bad
HELO
greeting. - 86.7.241.201 is an NTL cablemodem.
- 194.165.146.156 is a 'Wanadoo Jordan' IP address with no reverse DNS (and also is in relays.ordb.org).
- 213.180.130.35 is a poczta.onet.pl machine, and we don't talk to them.
Connection time rejection stats:
34465 total 17779 dynamic IP 13422 bad or no reverse DNS 1868 class bl-cbl 403 class bl-dsbl 215 class bl-sdul 153 class bl-njabl 130 class bl-spews 45 class bl-ordb 23 cuttingedgemedia.com 16 class bl-sbl
Twelve out of the top 30 most rejected IP addresses were rejected 100
times or more, with the champion being 72.66.49.214 (196 times, for
being a Verizon dynamic IP). 18 of the top 30 are currently in the CBL,
and 9 are currently in bl.spamcop.net
; this week, none are in the SBL.
This week's Hotmail stats are reasonably good:
- 9 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 28 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address.
Seven of the accepted messages were legitimate, but the remaining two were advance fee fraud spam (sent from 219.95.240.138, a Malaysian IP address that's probably a tm.net.my ADSL line).
(The high number of actual messages is due to the usual cause: a student-facing system had a glitch and students promptly mailed in to tell people about it.)
And the final numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
718 | 66 | 495 | 60 |
Bad bounces | 127 | 88 | 60 | 52 |
I'm not really happy to see these numbers climbing, but at least they're not really bad; it's still in at the drip drip level, instead of a flood. There are no particularly big spike sources of either, although the largest single source of bounces appears to have been a spammer trying a new trick to get their messages through.
The bounces were all over, including bounces to E7D6
and 3E4B
like
last week, but the majority were to made-up usernames of the form
<first>_<last>, where the first and last names looked like randomly
chosen female-sounding Russian names; a representative example
is 'violetta_mironova'.
|
|