Weekly spam summary on November 18th, 2006
This week, we:
- got 15,266 messages from 269 different IP addresses.
- handled 22,009 sessions from 1,693 different IP addresses.
- received 897,934 connections from at least 48,417 different IP addresses.
- hit a highwater of 10 connections being checked at once.
Just like last time, that is not a typo (and nothing on the system was affected enough to make me notice it before now, when my scripts started spitting out information for this). Apart from the huge connection volume, things are pretty much the same as last week; ironically, the highwater is lower.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 12859 617K 126.96.36.199 7756 403K 188.8.131.52/24 6340 312K 184.108.40.206 6325 329K 220.127.116.11/10 5730 314K 18.104.22.168 5532 259K 22.214.171.124 4732 227K 126.96.36.199 4396 224K 188.8.131.52 4261 205K 184.108.40.206 3947 181K
Overall things are quieter than last week.
- 220.127.116.11 and 18.104.22.168 return from last week.
- 22.214.171.124 and 126.96.36.199 got blocked for repeated bad
- 188.8.131.52 is listed in
dul.dnsbl.sorbs.net, although its hostname and WHOIS information doesn't look like a dynamic IP address. My best theory is that SORBS just listed the large SBC Internet block that it's in.
- 184.108.40.206 was blocked for repeatedly trying to send us phish spam.
- 220.127.116.11 is an algx.net dynamic IP address.
- 18.104.22.168 is a Vietnamese IP address with no reverse DNS.
Connection time rejection stats:
46168 total 26202 dynamic IP 15926 bad or no reverse DNS 2374 class bl-cbl 317 class bl-sdul 285 class bl-dsbl 206 class bl-njabl 89 class bl-spews 76 cuttingedgemedia.com 40 class bl-sbl 38 class bl-ordb
Good old Cutting Edge Media; apparently they never give up. But then, this is completely typical of spammers. That these numbers are not hugely larger than last week suggests that most of the connections were greylisted away.
Three of the top 30 most rejected IP addresses were rejected 100
times or more; the leader was an internal UofT machine, followed by
22.214.171.124 (135 times) and 126.96.36.199 (134 times). 16 of the top
30 are currently in the CBL and 4 are currently in
This week's Hotmail numbers:
- 3 messages accepted, at least one of which was spam (I know because I got it).
- 1 message rejected because it came from a non-Hotmail email address (in this case, a msn.com username).
- 41 messages sent to our spamtraps.
- 5 messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This week's winning bounce target is
tosi, with 11 hits, then a couple
of old usernames. Plausible usernames (as opposed to the usual random
jumbles) seem to be the popular thing this week.
(Next week's bad bounces numbers are probably going to jump some, because I changed how we track them a bit. Up until now, we've only been logging the first bad bounce in a given SMTP session, for reasons that don't fit in this margin; we're now logging all of them.)