Weekly spam summary on December 16th, 2006
This week, we:
- got 16,689 messages from 271 different IP addresses.
- handled 21,893 sessions from 1,229 different IP addresses.
- received 207,766 connections from at least 62,254 different IP addresses.
- hit a highwater of 8 connections being checked at once.
This is about the same volume as last week, although the number of different IP addresses connecting to us is unusually large.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168/27 29607 1776K 22.214.171.124/24 16473 988K 126.96.36.199 8042 418K 188.8.131.52 6112 311K 184.108.40.206 5894 283K 220.127.116.11 4744 285K 18.104.22.168 4657 279K 22.214.171.124 3907 234K 126.96.36.199 2696 129K 188.8.131.52 2566 123K
- 184.108.40.206/27 is totallyfreeld.net, aka SBL48200, still not terminated by their upstream and still active, returning from two weeks ago.
- 220.127.116.11/24 is the centrum.cz mail servers, returning from last week and still justifying their permanent block.
- 18.104.22.168 and 22.214.171.124 return from last week.
- 126.96.36.199 is a bigpond.net.au cablemodem, and returns from October.
- 188.8.131.52 and 184.108.40.206 tried to send a lot of bad
- 220.127.116.11 and 18.104.22.168 tried to keep sending us stuff from origin addresses that had already tripped our spamtraps.
- 22.214.171.124 is in the CBL.
Overall, this week is quieter than last week.
Connection time rejection stats:
48974 total 30101 dynamic IP 13820 bad or no reverse DNS 3483 class bl-cbl 271 class bl-sdul 195 class bl-dsbl 147 class bl-njabl 82 class bl-spews 74 cuttingedgemedia.com 30 class bl-sbl 23 class bl-ordb
There was only one IP address out of the top 30 most rejected IP
addresses that was rejected 100 times or more, but that was our old
friend 126.96.36.199 (631 times). Twelve of the top 30 are current in
the CBL, eight are currently in
bl.spamcop.net, and one is in the
SBL: 188.8.131.52, apparently an ADSL line in Dakar, is in SBL21134 and SBL43951. You win no
prizes for guessing that both listings are for being an advance fee
fraud spam source.
(Ironically it accounted for none of the SBL hits this week, because it was blocked for having no reverse DNS, and that's checked before the SBL. The lead SBL hit source is 184.108.40.206 at 13 times, in SBL45324 as part of a ROKSO listing for 'Brian Kramer' aka 'Expedite Media Group'.)
This week, Hotmail had:
- 3 messages accepted; I suspect that at least two of them were spam.
- no messages rejected because they came from non-Hotmail email addresses.
- 25 messages sent to our spamtraps.
- 4 messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address being in the CBL.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This week there are no bad bounces to 'first_lastname' login names. They've been entirely supplanted by a random parade of alphabetical jumbles, the most popular of which was 'sxdijkhocqn' (5 times), leaved with a few things that are somewhat more plausible usernames, and a couple of old login names that no longer exist.