Weekly spam summary on November 11th, 2006
This week, we:
- got 15,129 messages from 287 different IP addresses.
- handled 21,714 sessions from 1,659 different IP addresses.
- received 193,764 connections from at least 45,843 different IP addresses.
- hit a highwater of 35 connections being checked at once.
This shows a Thursday peak as well, ramping up on Wednesday and sliding down on Friday.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 14789 692K 188.8.131.52 11047 663K 184.108.40.206 8565 436K 220.127.116.11 6958 334K 18.104.22.168 5086 305K 22.214.171.124/24 4894 241K 126.96.36.199 4866 234K 188.8.131.52 4186 201K 184.108.40.206 3525 165K 220.127.116.11 3364 175K
It's a miracle: 18.104.22.168 has dropped from consistent first place all the way down to barely ranking this week. Overall it's a bit worse than last week; the high end is worse and the low end is not much better.
- 22.214.171.124 returns from two weeks ago, and is still a Covad something-or-other.
- 126.96.36.199, 188.8.131.52, and 184.108.40.206 all return from last week.
- 220.127.116.11 is an iinet.net.au customer machine in the CBL.
- 18.104.22.168 is a Pacbell DSL line, returning from September.
- 22.214.171.124 and 126.96.36.199 kept dumping bad
HELOs on us.
- 188.8.131.52 is a Korean IP address with no reverse DNS.
Just over half of this week's top ten are returning IPs that we've seen before. I tend to find this depressing.
Connection time rejection stats:
43509 total 23493 dynamic IP 16892 bad or no reverse DNS 1744 class bl-cbl 221 class bl-sdul 194 class bl-njabl 189 class bl-dsbl 59 class bl-spews 46 class bl-sbl 40 class bl-ordb 35 cuttingedgemedia.com
Two of the top 30 most rejected IP addresses were rejected 100 times or
more; 184.108.40.206 (567 times), and an internal UofT client machine
that has apparently been misconfigured to try to use us as its server.
Fifteen of the top 30 are currently in the CBL and five are currently in
This week's gifts from Hotmail:
- 2 messages accepted.
- 3 messages rejected because they came from non-Hotmail email addresses.
- 38 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 1 messages refused due to its origin IP address being in SBL38620 (listed March 4th 2006, and it's apparently an Internet cafe in Nigeria with a satellite Internet connection).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I don't like the upward trend compared to last week, but there's nothing I can do about it.
This week's bad bounce targets are all over the map. Almost nothing
got hit more than once ('olsak' is the leader, at 4 times, followed
by 'noreply' and a couple of old usernames here at 3 times), and the
popularity of Slavic women's first_lastname usernames continues its
slide. Apart from that there are words like
usernames, vaguely plausible usernames like
semerad, a certain amount
of capitalized names like
XXoX, a lot of random jumbles
zywcfnhiqtji, and the return of a few Linux ALSA function names.
(I have no idea why 'snd_pcm_hw_params_get_buffer_size' is so absurdly popular with spammers as the origin of their forged spam, but it is and has been for years.)