Wandering Thoughts: Recent Entries For 2006/07/09

Weekly spam summary on July 8th, 2006

This week, we:

• got 13,932 messages from 204 different IP addresses.
• handled 17,417 sessions from 865 different IP addresses.
• received 161,727 connections from at least 52,444 different IP addresses.
• hit a highwater of 50 connections being checked at once (hit on Friday).

This is about the same as last week, allowing for random variation. The per day table is mostly but not entirely flat, so I'm going to include it:

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
218.0.0.0/11           9919    485K
61.128.0.0/10          7007    367K
213.4.149.12           6328    329K
69.64.10.246           5037    235K
217.13.17.73           4932    237K
218.254.82.97          4189    201K
62.2.90.42             4155    201K
212.216.176.0/24       4030    203K
217.57.24.82           3774    181K
220.160.0.0/11         3680    182K

Volume is down from last week, only partly because the two big point sources went away, and this week the top two spots are claimed by Chinese netblocks instead of individual IP addresses.

• 213.4.149.12 returns from last week, still with a bad HELO name.
• 217.13.17.73 and 217.57.24.82 also have bad HELO names.
• 69.64.10.246 was listed in the NJABL (but no longer is).
• 218.254.82.97, a very active hkcable.com.hk cablemodem, returns from last week.
• 62.2.90.42 is listed in the SORBS DUL list (and is currently in bl.spamcop.net).

Connection time rejection stats:

  55159 total
  29576 dynamic IP
  21628 bad or no reverse DNS
   2631 class bl-cbl
    230 class bl-njabl
    154 class bl-sdul
    135 class bl-spews
    124 class bl-sbl
     87 class bl-dsbl
     10 class bl-ordb

This is a striking jump up from last week for only a relatively moderate increase in overall connection volume. I suspect that spammers may be having their zombies get more persistent to overcome greylisting; oh well, very little lasts forever in the antispam world.

All 30 of the 30 most rejected IP addresses were rejected more than a hundred times; the champion is 218.254.82.97, with 1247 rejections, and with this latest episode it's now earned a permanent place in our kernel IP filters. 27 of the 30 are currently in the CBL, and six are in bl.spamcop.net.

Hotmail had a so-so week, and I've discovered that some of my past stats around the start of each month may have been inaccurate. This week's numbers:

• no messages accepted.
• 4 messages rejected because they came from non-Hotmail email addresses.
• 14 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• no messages refused due to their origin IP address.

That's a lot of mail to our spamtraps, and I'm not too happy about it. Hotmail may be stopping spammers relatively fast, but it's clearly letting them send some spam to start with.

And the closing numbers:

Both of these are up significantly from last week, and I suspect that it's the same root cause: spammers are forging us on their spam more actively. There is no single source of bad HELOs that stands out a lot (the winner is 198.145.214.166 aka 'pascor01.Pascor.local', but with only 85 rejections).

This week sees a new 38-character hex digit appear in the bad bounces, 8B407639D45C5742ADD3987F7E013C41178B66. Apart from that, there's a lot more variety this week, with 54 different usernames ranging from long-dead accounts to plausible accounts to random alphanumeric sequences like 'zfqbxbgm330'; the random alphanumerics are the predominant group. Interesting, the only all-digit username this week was '0'.