Weekly spam summary on July 28th, 2007
This week, we:
- got 10,691 messages from 231 different IP addresses.
- handled 17,807 sessions from 1,456 different IP addresses.
- received 301,407 connections from at least 76,444 different IP addresses.
- hit a highwater of 11 connections being checked at once.
Connection volume is up slightly from last week, but at this point 10,000 connections a week more or less is probably just random noise.
Thursday is down compared to last week, but everything else makes up for it.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206/23 39187 1903K cox.net 220.127.116.11 32525 1691K terra.es 18.104.22.168/24 19070 865K bellsouth.net 22.214.171.124 13732 642K 126.96.36.199/24 9289 557K centrum.cz 188.8.131.52 8146 489K 184.108.40.206/24 6299 302K adelphia.net 220.127.116.11 5496 257K 18.104.22.168 3595 173K 22.214.171.124 3441 165K
Overall volume is down compared to last week.
- 126.96.36.199 and 188.8.131.52 are things we consider dynamic IP addresses.
- 184.108.40.206 is in the DUL (and has a very generic hostname, and
is currently in
- 220.127.116.11 kept trying with a bad
- 18.104.22.168 is a LACNIC IP address with bad reverse DNS.
This is the first week in a while where none of the top ten individual IP addresses are ones we've seen before (apart from the perennial 22.214.171.124).
Connection time rejection stats:
123178 total 58011 bad or no reverse DNS 55387 dynamic IP 6386 class bl-cbl 477 qsnews.net 335 class bl-pbl 203 class bl-dsbl 118 class bl-sbl 116 class bl-sdul 113 dartmail.net 42 class bl-njabl 34 acceleratebiz.com
There's quite a jump in the 'dynamic IP' category this week; it doesn't seem to have come from any particular ISP or the like, so we seem to have been getting hit more in general.
The highest source of SBL rejections this week is the same as last week: SBL48694, with 31 rejections this week. Following them is SBL56968 (13 rejections), SBL43966 (12 rejections), SBL22762 (11 rejections), and SBL57028 (10 rejections).
An eye-opening twenty two of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 126.96.36.199 (with 2,498 rejections), followed by 188.8.131.52 (1,266 rejections), 184.108.40.206 (1,068 rejections), 220.127.116.11 (776 rejections), and 18.104.22.168 (536 rejections).
Fifteen of the top 30 are currently in the CBL, eight are currently
bl.spamcop.net, twenty four are in the PBL, and a grand total
of twenty five are in zen.spamhaus.org.
(Locally, 18 were rejected for bad or missing reverse DNS, 10 for being dynamic IPs, one for being qsnews.net, and one for being someone we don't want to talk to.)
This week, Hotmail had:
- no messages accepted.
- 3 messages rejected because they came from non-Hotmail email addresses.
- 47 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- 3 messages refused due to their origin IP address (one from saix.net, one from the Cote d'Ivoire, and one from Burkina Faso).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading source of bad
HELO attempts this week is 22.214.171.124
(109 attempts), followed by 126.96.36.199 (72 attempts). For once both
of these were trying with plausible looking hostnames, instead of things
Bad bounces were sent to 200 different bad usernames this week, with
the most popular one being
mayumi0624 with 4 attempts. Bad usernames
TomasPryor seem to be falling out of favour, being supplanted
by things like
alenn187. Odd bad usernames of the week:
you-freak. The dominant bad bounce
source this week seems to be Japan and especially ezweb.ne.jp, just like