Weekly spam summary on March 24th, 2007
This week, we:
- got 12,733 messages from 249 different IP addresses.
- handled 21,567 sessions from 1,259 different IP addresses.
- received 197,829 connections from at least 58,846 different IP addresses.
- hit a highwater of 8 connections being checked at once.
This is up from last week, although the messages received count remains down from the usual levels.
This has an interesting general decline in the number of new different IP addresses talking to us over the week (and the general Thursday dip also makes me wonder).
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206 19714 1084K 220.127.116.11/24 15468 751K 18.104.22.168 13923 724K 22.214.171.124/24 11192 672K 126.96.36.199/24 10640 482K 188.8.131.52 4493 216K 184.108.40.206 3979 212K 220.127.116.11 3645 170K 18.104.22.168 2383 143K 22.214.171.124 2245 135K
This is down from last week, partly because at least some of the active webmail subnets seem to have quieted down a bit.
- 126.96.36.199 and 188.8.131.52 kept trying to send stuff with origin addresses that had tripped our spamtraps.
- 184.108.40.206 reappears from last week.
- 220.127.116.11 is in acceleratebiz.com IP address space, and we don't talk to that any more. Considering its current hostname is 'mail.thefreebiediscount.com', I can't imagine that we're missing much.
- 18.104.22.168 is a telecomitalia.it IP address and returns from earlier this month.
- 22.214.171.124 kept trying with a bad
- 126.96.36.199 is a Taiwanese IP address with no reverse DNS.
Connection time rejection stats:
62832 total 38554 dynamic IP 17429 bad or no reverse DNS 5222 class bl-cbl 262 acceleratebiz.com 185 class bl-sbl 160 class bl-pbl 154 class bl-sdul 127 dartmail.net 101 class bl-dsbl 94 cuttingedgemedia.com 72 class bl-njabl
(Note that I don't always put specific domain blocks in this list, even if they show up in the overall numbers.)
The highest SBL source this week is SBL52715 (a spam source and landing pages /27, listed only today) at 108 rejections. Next is SBL50181 (good old microcamp.com.br's compromised web server, listed since January 18th) at 37 rejections.
Nine of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leaders are 188.8.131.52 (455 rejections, bad reverse DNS), 184.108.40.206 (247 rejections, generic fastwebnet.it), 220.127.116.11 (221 rejections, bad reverse DNS), and 18.104.22.168 (217 rejections, verizon dynamic IP). It's striking that only two out of the nine are not in zen.spamhaus.org.
Fourteen of the top 30 are currently in the CBL, twelve are currently
bl.spamcop.net, fourteen are currently in the PBL, and a
grand total of 20 are in zen.spamhaus.org.
This week Hotmail had:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 32 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 5 messages refused due to their origin IP address (two in the CBL, two from Nigeria, and one in SBL49971.)
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Now those are the sort of numbers on bad bounces that I like to see.
As usual, bad
HELOs have no sources that particularly stand out;
the highest is 22.214.171.124 (63 rejections).
Bad bounces were sent to two different bad usernames this week. Both went to plausible usernames that have never existed here (to the best of my memory), and this week they both came from machines in the USA.