Weekly spam summary on November 18th, 2006
This week, we:
- got 15,266 messages from 269 different IP addresses.
- handled 22,009 sessions from 1,693 different IP addresses.
- received 897,934 connections from at least 48,417 different IP addresses.
- hit a highwater of 10 connections being checked at once.
Just like last time, that is not a typo (and nothing on the system was affected enough to make me notice it before now, when my scripts started spitting out information for this). Apart from the huge connection volume, things are pretty much the same as last week; ironically, the highwater is lower.
Day | Connections | different IPs |
Sunday | 27,857 | +7,529 |
Monday | 25,752 | +6,652 |
Tuesday | 32,064 | +7,395 |
Wednesday | 32,050 | +7,526 |
Thursday | 173,814 | +7,585 |
Friday | 312,437 | +6,042 |
Saturday | 293,960 | +5,688 |
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 64.166.14.222 12859 617K 213.4.149.66 7756 403K 212.216.176.0/24 6340 312K 213.4.149.12 6325 329K 61.128.0.0/10 5730 314K 216.102.133.220 5532 259K 64.216.74.90 4732 227K 67.153.140.35 4396 224K 203.113.158.222 4261 205K 210.50.231.134 3947 181K
Overall things are quieter than last week.
- 64.166.14.222 and 213.4.149.12 return from last week.
- 213.4.149.66 and 210.50.231.134 got blocked for repeated bad
HELO
s. - 216.102.133.220 is listed in
dul.dnsbl.sorbs.net
, although its hostname and WHOIS information doesn't look like a dynamic IP address. My best theory is that SORBS just listed the large SBC Internet block that it's in. - 64.216.74.90 was blocked for repeatedly trying to send us phish spam.
- 67.153.140.35 is an algx.net dynamic IP address.
- 203.113.158.222 is a Vietnamese IP address with no reverse DNS.
Connection time rejection stats:
46168 total 26202 dynamic IP 15926 bad or no reverse DNS 2374 class bl-cbl 317 class bl-sdul 285 class bl-dsbl 206 class bl-njabl 89 class bl-spews 76 cuttingedgemedia.com 40 class bl-sbl 38 class bl-ordb
Good old Cutting Edge Media; apparently they never give up. But then, this is completely typical of spammers. That these numbers are not hugely larger than last week suggests that most of the connections were greylisted away.
Three of the top 30 most rejected IP addresses were rejected 100
times or more; the leader was an internal UofT machine, followed by
80.24.154.168 (135 times) and 64.166.14.222 (134 times). 16 of the top
30 are currently in the CBL and 4 are currently in bl.spamcop.net
.
This week's Hotmail numbers:
- 3 messages accepted, at least one of which was spam (I know because I got it).
- 1 message rejected because it came from a non-Hotmail email address (in this case, a msn.com username).
- 41 messages sent to our spamtraps.
- 5 messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address.
And the final numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
2008 | 175 | 1780 | 151 |
Bad bounces | 470 | 374 | 482 | 416 |
This week's winning bounce target is tosi
, with 11 hits, then a couple
of old usernames. Plausible usernames (as opposed to the usual random
jumbles) seem to be the popular thing this week.
(Next week's bad bounces numbers are probably going to jump some, because I changed how we track them a bit. Up until now, we've only been logging the first bad bounce in a given SMTP session, for reasons that don't fit in this margin; we're now logging all of them.)
|
|