Wandering Thoughts archives

2005-08-28

Weekly spam summary on August 27th, 2005

The overall SMTP connection rate is up from last week, as we hit 213,000 SMTP connections from at least 36,000 different IP addresses. The SMTP frontend hit a new highwater of 22 simultaneous connections being checked at once. It's possible that a lot of this is from spammers forging our domains as the MAIL FROM of their spams.

Top 10 kernel level SMTP rejections:

Host/Mask           Packets   Bytes
213.4.149.11          16370    736K	[dns]
150.101.192.222       12959    660K	[trap]
212.216.176.0/24      10593    553K
202.96.0.0/12          6472    311K
161.58.153.168         5752    284K	[trap]
206.169.79.2           4621    222K	[dyn]
61.128.0.0/10          4219    211K
64.105.41.16           4127    198K	[dyn]
201.224.247.45         4049    206K	[dns]
192.131.97.33          3706    163K	[helo]
Code Explanation
[dns] Bad or missing reverse DNS
[dyn] Apparent dynamic IP address
[helo] Bad SMTP HELO greeting
[trap] Sent mail to a spamtrap

Clearly we've had some very persistent callers this week; however, most of the individual machines are new on the list (the only exception is 213.4.149.11, appearing in SpamSummary-2005-07-23).

Connection-time rejection stats:

  27462 total
  13178 dynamic IP
   7721 bad or no reverse DNS
   1668 class bl-cbl
   1195 class bl-spews
   1032 class bl-sbl
    880 class bl-dsbl
    775 class bl-ordb
    189 class bl-sdul
     83 class bl-njabl
     27 class bl-opm

SBL-based rejections are up significantly, and break down like this for the top five:

Rejections SBL listing
617 SBL20671
98 SBL27384
62 SBL20539
38 SBL23039
23 SBL29615

SBL20671 is a /19 ROKSO listing for OC3 Networks. SBL27384 is an aruba.it IP address listed for hosting a 'phish' site that tried to send us a bunch of email. SBL29615 is 216.250.209.9, www.portafree.com, listed as an Advance Fee Fraud source. (There is a lesson here for people running free email services, but they clearly keep on not learning.)

SPEWS rejections have no specific bad source, although 65.209.157.32 kept retrying a lot (it looks like it's a Microsoft mailer, and those tend to do that in my experience). Big SPEWS contributions came from mail.uk.tiscali.com and seamail.go.com, both of which are widely abused free email services that I am not sorry to see rejected. wanadoo.co.uk also got into the act.

(I am seriously considering specific connection-time rejections for all of the widely abused free email providers that I don't want to bother talking to. It would probably make these reports more streamlined and it might get the message through to their operators. Or at least any real users trying to email our users.)

Bad HELOs and SMTP bounces to nonexistent local addresses are up quite a lot over last week. The numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 21143 831 4888 409
Bad bounces 6722 3282 2099 817

Much of the increase in the bad HELO count is due to various people retrying much more often. The drastic increase in the number of distinct IP addresses sending us bad bounces suggests that our domains are being forged more by spammers again.

spam/SpamSummary-2005-08-27 written at 02:55:18; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.