Weekly spam summary on January 13th, 2007

January 13, 2007

This week, we:

  • got 14,362 messages from 263 different IP addresses.
  • handled 18,805 sessions from 1,257 different IP addresses.
  • received 232,353 connections from at least 81,631 different IP addresses.
  • hit a highwater of 26 connections being checked at once.

Weekly email volume has returned to normal, which is not surprising (the university is back in full session). Total volume is up a bit from last week, especially the number of different IP addresses talking to us.

Day Connections different IPs
Sunday 32,355 +13,346
Monday 35,036 +12,551
Tuesday 31,295 +11,603
Wednesday 36,412 +11,841
Thursday 36,387 +12,355
Friday 32,702 +10,873
Saturday 28,166 +9,062

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          18869    981K
213.29.7.0/24         18426   1105K
193.70.192.0/24       13778    621K
69.15.68.98            6860    321K
60.231.152.85          5001    254K
64.166.14.222          4062    195K
193.252.22.158         3999    240K
86.18.9.59             3811    183K
66.15.22.201           3184    153K
84.160.0.0/11          2339    116K
  • 213.4.149.12, 69.15.68.98, and 193.252.22.158 return from last week's list.
  • 60.231.152.85 is a bigpond.net.au cablemodem and last appeared in December.
  • 64.166.14.222 didn't make the kernel filtering top ten last week but got mentioned for other reasons and has made the weekly summaries before in general.
  • 86.18.9.59 is an ntl.com broadband customer, which we consider a dynamic/dialup IP address.
  • 66.15.22.201 is in the SORBS DUL.

Overall volume is once again up a bit from last week.

Connection time rejection stats:

  59047 total
  37554 dynamic IP
  14709 bad or no reverse DNS
   4911 class bl-cbl
    371 class bl-sdul
    270 class bl-dsbl
    152 'fairgamemail.us'
    134 class bl-njabl
     97 cuttingedgemedia.com
     59 class bl-spews
     31 class bl-sbl

This is likely the last week SPEWS will appear in these reports. Sparked by reports in news.admin.net-abuse.email that the SPEWS database hasn't been updated for the past few months, and the generally low hit rate recently, I am pulling them from our configuration to avoid potential future explosions.

Only one IP address out of the top 30 most rejected IP addresses was rejected 100 times or more; 64.166.14.222 (698 times), which also made the top 10 kernel rejected IPs. 15 out of the top 30 are currently in the CBL and 6 are currently in bl.spamcop.net.

This week Hotmail brought us:

  • no messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 30 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (four from the Cote d'Ivoire, one in SBL22599).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 566 98 332 130
Bad bounces 151 126 16 11

Oh well, so much for the peace of last week. There is no single big contributor to either, although the major source of bad bounces seems to be German sites. The largest target of bad bounces was to 'noreply', but after that almost everything was to alphabetic jumble usernames, with only a few plausible ex-users mixed in.

Written on 13 January 2007.
« The easy way to get me to not comment on a weblog
An alarming reflex in my use of find »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sat Jan 13 23:48:24 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.