Weekly spam summary on March 10th, 2007
This week, we:
- got 14,862 messages from 263 different IP addresses.
- handled 21,019 sessions from 1,246 different IP addresses.
- received 197,155 connections from at least 66,752 different IP addresses.
- hit a highwater of 11 connections being checked at once.
Volume is definitely down from last week, although the session volume is up slightly. The per day numbers have some significant fluctuations:
Day | Connections | different IPs |
Sunday | 32,593 | +13,521 |
Monday | 37,161 | +12,938 |
Tuesday | 27,967 | +8,530 |
Wednesday | 21,632 | +7,902 |
Thursday | 29,415 | +9,045 |
Friday | 28,617 | +8,658 |
Saturday | 19,770 | +6,158 |
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 206.223.168.238 39471 2165K 213.29.7.0/24 24821 1488K 205.152.59.0/24 14936 677K 213.4.149.12 11163 581K 66.16.116.241 5392 259K 71.8.237.114 5374 273K 81.215.229.141 3248 156K 64.83.75.188 3207 154K 64.208.191.0/24 3121 187K 193.202.89.232 2898 155K
This is up from last week, although it's unevenly distributed; the low end is about the same, but the high end is much more active.
- 206.223.168.238 and 213.4.149.12 return from last week.
- 66.16.116.241 kept trying with a bad
HELO
. - 71.8.237.114 is a charter.com something or other.
- 81.215.229.141 has inconsistent reverse DNS.
- 64.83.75.188 is a place we no longer talk to because it sent us phish spam.
- 193.202.89.232 kept trying with an origin address that had already tripped our spamtraps.
64.208.191.0/24 deserves special mention: various hosts in there slammed us as part of an aggressive spam run, and then once they had tripped our spamtraps they demonstrated that they were partially ignoring SMTP responses. This is a quick recipee for getting your own set of kernel packet filtering rules; if they come back this week, I'll probably make the block permanent.
Connection time rejection stats:
62956 total 37668 dynamic IP 17559 bad or no reverse DNS 5173 class bl-cbl 1049 class bl-sbl 353 acceleratebiz.com 198 class bl-dsbl 132 class bl-pbl 121 cuttingedgemedia.com 112 class bl-sdul 78 class bl-njabl 27 verticalresponse.com
Overall volume is slightly down from last week. The SBL breakdown is as uninteresting as last week; 962 hits from SBL50892 (colocentral.com, who apparently feel spammer hosting is fine with them), then the next highest is 18 hits from SBL43107 (listed February 16th as 'Gestour Portal spam source').
Four of the top 30 most rejected IP addresses were rejected 100 times
or more: 81.51.111.171 (2,190 times, a wanadoo.fr dynamic IP address),
200.88.30.51 (114 times, no reverse DNS), 24.158.104.204 (106 times, a
charter.com cablemodem or something), and 71.101.60.68 (106 times, a
verizon.net DSL something or other). Fourteen of the top 30 are currently
in the CBL, 11 are currently listed by bl.spamcop.net
, 11 are in the
Spamhaus PBL, and a grand total of 17 are in zen.spamhaus.org.
This week Hotmail managed:
- 3 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 26 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 1 message refused due to its origin IP address being in the CBL.
This is a lot better than their numbers last week.
And the final numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
1041 | 96 | 953 | 95 |
Bad bounces | 4 | 4 | 17 | 16 |
Now that's the sort of numbers on bad bounces that I like to see.
There were no really big sources of bad HELO
s this week; the highest
were 64.3.170.46 (113 times), 69.15.31.193 (82 times), 64.122.66.34
(76 times), and 64.171.104.2 (75 times).
Bad bounces came from four different places to four different usernames; three of the bad usernames are ex-users, and one is a reasonably plausible username.
|
|