Weekly spam summary on November 11th, 2006
This week, we:
- got 15,129 messages from 287 different IP addresses.
- handled 21,714 sessions from 1,659 different IP addresses.
- received 193,764 connections from at least 45,843 different IP addresses.
- hit a highwater of 35 connections being checked at once.
This shows a Thursday peak as well, ramping up on Wednesday and sliding down on Friday.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 14789 692K 126.96.36.199 11047 663K 188.8.131.52 8565 436K 184.108.40.206 6958 334K 220.127.116.11 5086 305K 18.104.22.168/24 4894 241K 22.214.171.124 4866 234K 126.96.36.199 4186 201K 188.8.131.52 3525 165K 184.108.40.206 3364 175K
It's a miracle: 220.127.116.11 has dropped from consistent first place all the way down to barely ranking this week. Overall it's a bit worse than last week; the high end is worse and the low end is not much better.
- 18.104.22.168 returns from two weeks ago, and is still a Covad something-or-other.
- 22.214.171.124, 126.96.36.199, and 188.8.131.52 all return from last week.
- 184.108.40.206 is an iinet.net.au customer machine in the CBL.
- 220.127.116.11 is a Pacbell DSL line, returning from September.
- 18.104.22.168 and 22.214.171.124 kept dumping bad
HELOs on us.
- 126.96.36.199 is a Korean IP address with no reverse DNS.
Just over half of this week's top ten are returning IPs that we've seen before. I tend to find this depressing.
Connection time rejection stats:
43509 total 23493 dynamic IP 16892 bad or no reverse DNS 1744 class bl-cbl 221 class bl-sdul 194 class bl-njabl 189 class bl-dsbl 59 class bl-spews 46 class bl-sbl 40 class bl-ordb 35 cuttingedgemedia.com
Two of the top 30 most rejected IP addresses were rejected 100 times or
more; 188.8.131.52 (567 times), and an internal UofT client machine
that has apparently been misconfigured to try to use us as its server.
Fifteen of the top 30 are currently in the CBL and five are currently in
This week's gifts from Hotmail:
- 2 messages accepted.
- 3 messages rejected because they came from non-Hotmail email addresses.
- 38 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 1 messages refused due to its origin IP address being in SBL38620 (listed March 4th 2006, and it's apparently an Internet cafe in Nigeria with a satellite Internet connection).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I don't like the upward trend compared to last week, but there's nothing I can do about it.
This week's bad bounce targets are all over the map. Almost nothing
got hit more than once ('olsak' is the leader, at 4 times, followed
by 'noreply' and a couple of old usernames here at 3 times), and the
popularity of Slavic women's first_lastname usernames continues its
slide. Apart from that there are words like
usernames, vaguely plausible usernames like
semerad, a certain amount
of capitalized names like
XXoX, a lot of random jumbles
zywcfnhiqtji, and the return of a few Linux ALSA function names.
(I have no idea why 'snd_pcm_hw_params_get_buffer_size' is so absurdly popular with spammers as the origin of their forged spam, but it is and has been for years.)