Weekly spam summary on December 23rd, 2006
The SMTP frontend died and was restarted at 2:24 am Wednesday morning, so some stats are only from then. That said, this week we:
- got 14,896 messages from 260 different IP addresses.
- handled 22,673 sessions from 1,353 different IP addresses.
- received 147,470 connections from at least 47,766 different IP addresses since Wednesday at 2:24 am.
- hit a highwater of 10 connections being checked at once since Wednesday at 2:24 am.
It looks like we'd received about 65,000 connections as of Tuesday morning, which would make the total volume roughly the same as last week. The per-day information is kind of broken, but since Wednesday morning we seem to have had higher traffic than usual, running between 35,000 and 40,000 connections a day.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 13437 605K 126.96.36.199 12301 640K 188.8.131.52/24 8888 533K 184.108.40.206 4936 296K 220.127.116.11 4783 287K 18.104.22.168 3515 164K 22.214.171.124 3478 191K 126.96.36.199 3241 165K 188.8.131.52 3045 183K 184.108.40.206 2939 149K
This is a change from last week, with totallyfreeld.net dropping out completely and a welcome drop in overall volume.
- 220.127.116.11 and 18.104.22.168 had too many bad
- 22.214.171.124, 126.96.36.199, and 188.8.131.52 return from last week.
- 184.108.40.206 is in the NJABL.
- 220.127.116.11 is a fr.clara.net machine that kept on trying to send us stuff that had already tripped spamtraps.
- 18.104.22.168 and 22.214.171.124 are dynamic IP 'dialup' machines.
Connection time rejection stats:
52591 total 31494 dynamic IP 16375 bad or no reverse DNS 3541 class bl-cbl 312 class bl-sdul 222 class bl-dsbl 77 class bl-njabl 44 class bl-sbl 24 class bl-spews 15 cuttingedgemedia.com 8 class bl-ordb
This is, alas, the last week that the ORDB will appear in the stats, as the ORDB shut down December 18th (as reported on Slashdot, among other places; I am not linking to their website, because they're going to turn that off soon).
Only one out of the top 30 most rejected IP addresses was rejected
100 times or more this week: 126.96.36.199 (102 times, in the CBL).
16 of the top 30 are currently in the CBL and 7 are currently in
Almost half of the SBL rejections this week came from one IP, 188.8.131.52 aka SBL49074, apparently a hijacked spam sending machine. The next two, rejected five times each, are 184.108.40.206 (SBL49046) and 220.127.116.11 (SBL49248). In a sign that the universe is returning to the proper order of things, both are listed for being advance fee fraud spam sources.
This week, Hotmail had:
- 1 message accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 28 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (2 for being in the CBL, one for being in SBL20211 and SBL46450).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
By far the champion source of bad
HELOs is 18.104.22.168 (335
rejections), followed by 22.214.171.124 (98 rejections). The leading
general area for bad bounces seems to have switched to Italian ISPs this
week. The random alphabetical names are the leading bad bounce targets,
but no one of them particularly stands out.