Weekly spam summary on March 10th, 2007
This week, we:
- got 14,862 messages from 263 different IP addresses.
- handled 21,019 sessions from 1,246 different IP addresses.
- received 197,155 connections from at least 66,752 different IP addresses.
- hit a highwater of 11 connections being checked at once.
Volume is definitely down from last week, although the session volume is up slightly. The per day numbers have some significant fluctuations:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 39471 2165K 188.8.131.52/24 24821 1488K 184.108.40.206/24 14936 677K 220.127.116.11 11163 581K 18.104.22.168 5392 259K 22.214.171.124 5374 273K 126.96.36.199 3248 156K 188.8.131.52 3207 154K 184.108.40.206/24 3121 187K 220.127.116.11 2898 155K
This is up from last week, although it's unevenly distributed; the low end is about the same, but the high end is much more active.
- 18.104.22.168 and 22.214.171.124 return from last week.
- 126.96.36.199 kept trying with a bad
- 188.8.131.52 is a charter.com something or other.
- 184.108.40.206 has inconsistent reverse DNS.
- 220.127.116.11 is a place we no longer talk to because it sent us phish spam.
- 18.104.22.168 kept trying with an origin address that had already tripped our spamtraps.
22.214.171.124/24 deserves special mention: various hosts in there slammed us as part of an aggressive spam run, and then once they had tripped our spamtraps they demonstrated that they were partially ignoring SMTP responses. This is a quick recipee for getting your own set of kernel packet filtering rules; if they come back this week, I'll probably make the block permanent.
Connection time rejection stats:
62956 total 37668 dynamic IP 17559 bad or no reverse DNS 5173 class bl-cbl 1049 class bl-sbl 353 acceleratebiz.com 198 class bl-dsbl 132 class bl-pbl 121 cuttingedgemedia.com 112 class bl-sdul 78 class bl-njabl 27 verticalresponse.com
Overall volume is slightly down from last week. The SBL breakdown is as uninteresting as last week; 962 hits from SBL50892 (colocentral.com, who apparently feel spammer hosting is fine with them), then the next highest is 18 hits from SBL43107 (listed February 16th as 'Gestour Portal spam source').
Four of the top 30 most rejected IP addresses were rejected 100 times
or more: 126.96.36.199 (2,190 times, a wanadoo.fr dynamic IP address),
188.8.131.52 (114 times, no reverse DNS), 184.108.40.206 (106 times, a
charter.com cablemodem or something), and 220.127.116.11 (106 times, a
verizon.net DSL something or other). Fourteen of the top 30 are currently
in the CBL, 11 are currently listed by
bl.spamcop.net, 11 are in the
Spamhaus PBL, and a grand total of 17 are in zen.spamhaus.org.
This week Hotmail managed:
- 3 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 26 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 1 message refused due to its origin IP address being in the CBL.
This is a lot better than their numbers last week.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Now that's the sort of numbers on bad bounces that I like to see.
There were no really big sources of bad
HELOs this week; the highest
were 18.104.22.168 (113 times), 22.214.171.124 (82 times), 126.96.36.199
(76 times), and 188.8.131.52 (75 times).
Bad bounces came from four different places to four different usernames; three of the bad usernames are ex-users, and one is a reasonably plausible username.