Weekly spam summary on January 13th, 2007
This week, we:
- got 14,362 messages from 263 different IP addresses.
- handled 18,805 sessions from 1,257 different IP addresses.
- received 232,353 connections from at least 81,631 different IP addresses.
- hit a highwater of 26 connections being checked at once.
Weekly email volume has returned to normal, which is not surprising (the university is back in full session). Total volume is up a bit from last week, especially the number of different IP addresses talking to us.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168 18869 981K 22.214.171.124/24 18426 1105K 126.96.36.199/24 13778 621K 188.8.131.52 6860 321K 184.108.40.206 5001 254K 220.127.116.11 4062 195K 18.104.22.168 3999 240K 22.214.171.124 3811 183K 126.96.36.199 3184 153K 188.8.131.52/11 2339 116K
- 184.108.40.206, 220.127.116.11, and 18.104.22.168 return from last week's list.
- 22.214.171.124 is a bigpond.net.au cablemodem and last appeared in December.
- 126.96.36.199 didn't make the kernel filtering top ten last week but got mentioned for other reasons and has made the weekly summaries before in general.
- 188.8.131.52 is an ntl.com broadband customer, which we consider a dynamic/dialup IP address.
- 184.108.40.206 is in the SORBS DUL.
Overall volume is once again up a bit from last week.
Connection time rejection stats:
59047 total 37554 dynamic IP 14709 bad or no reverse DNS 4911 class bl-cbl 371 class bl-sdul 270 class bl-dsbl 152 'fairgamemail.us' 134 class bl-njabl 97 cuttingedgemedia.com 59 class bl-spews 31 class bl-sbl
This is likely the last week SPEWS will appear in these reports. Sparked by reports in news.admin.net-abuse.email that the SPEWS database hasn't been updated for the past few months, and the generally low hit rate recently, I am pulling them from our configuration to avoid potential future explosions.
Only one IP address out of the top 30 most rejected IP addresses was
rejected 100 times or more; 220.127.116.11 (698 times), which also made
the top 10 kernel rejected IPs. 15 out of the top 30 are currently in
the CBL and 6 are currently in
This week Hotmail brought us:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 30 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 5 messages refused due to their origin IP address (four from the Cote d'Ivoire, one in SBL22599).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Oh well, so much for the peace of last week. There is no single big contributor to either, although the major source of bad bounces seems to be German sites. The largest target of bad bounces was to 'noreply', but after that almost everything was to alphabetic jumble usernames, with only a few plausible ex-users mixed in.