Wandering Thoughts archives

2006-07-16

Weekly spam summary on July 15th, 2006

This week, we:

  • got 12,289 messages from 220 different IP addresses.
  • handled 18,265 sessions from 954 different IP addresses.
  • received 143,889 connections from at least 48,413 different IP addresses.
  • hit a highwater of 14 connections being checked at once.

Session volume is up slightly from last week, but everything else is down. The per day table is relatively boring, so I'm omitting it this week.

Kernel level packet filtering top eleven:

Host/Mask           Packets   Bytes
209.216.205.162       16293    717K
210.245.161.90        12190    731K
218.0.0.0/11           7848    383K
213.4.149.12           7830    407K
61.128.0.0/10          4919    257K
212.216.176.0/24       4779    244K
195.39.69.48           4509    271K
62.149.158.91          4142    249K
220.160.0.0/11         3573    176K
66.193.15.20           3119    187K
218.254.82.97          3111    149K

The bottom of the top eleven is about the same volume as last week, but the top end is much higher.

  • 209.216.205.162 kept trying to send email from an email address that had hit a spamtrap.
  • 210.245.161.90 is a Hong Kong IP address with no reverse DNS, and is also in the CBL.
  • 213.4.149.12 returns from last week, still with a bad HELO.
  • 195.39.69.48 is a Czech IP address with no reverse DNS (and is in spam.dnsbl.sorbs.net).
  • 62.149.158.91 is an aruba.it webmail machine; we now refuse all of them afte too much spam from aruba.it.
  • 66.193.15.20 kept trying to send email from an email address that had already hit a spamtrap, in this case 'women@city.localevents.com'.
  • our old friend 218.254.82.97 from last week and before is at #11, just barely failing to make the top ten list, but I included it anyways.

I'm not too happy with 'city.localevents.com', as this is the second time they've hit our spamtraps with something (both times from 66.193.15.20). They may get banned entirely if this happens again.

Connection time rejection stats:

  40160 total
  18979 dynamic IP
  16601 bad or no reverse DNS
   2767 class bl-cbl
    520 class bl-njabl
    172 class bl-ordb
    152 class bl-dsbl
    133 class bl-sbl
    127 class bl-sdul
     40 class bl-spews

The top three are down significantly from last week, but the other numbers haven't budged much (the CBL rejections are even up slightly).

Eighteen of the top 30 most rejected IP addresses were rejected more than 100 times, with 84.229.4.87 the winner at 307 rejections. 203.197.246.51 (245 rejections) and 82.232.29.56 (222 rejections) collect second and third place. 20 of the top 30 are currently in the CBL and 5 are currently in bl.spamcop.net.

Hotmail had a so-so week:

  • 1 message accepted.
  • 2 messages rejected because they came from non-Hotmail email addresses.
  • 10 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • no messages refused due to their origin IP address

As with last week, Hotmail continues to have spammers but they keep mailing our spamtraps instead of our real users. I suppose this is better than the alternative, and I have to admit that the volume stats are down a lot from the heights of the problem.

And the closing numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1422 70 608 56
Bad bounces 127 108 88 62

Leading contributors to the bad HELOs are 209.97.195.183 (356 rejections), 212.122.235.35 (172), 62.42.227.11 (89), and 212.150.140.50 (83), but there's no really big point source for the big HELO jump.

Bad bounces went to a lot of usernames this week, most of them clearly made up by spammers (mostly in a pattern of letters with a few digits at the end). But the leading username for bounces was 'books' (12 times), there were some bounces to long since dead accounts, one bounce to '35', and two bounces to one of the 38-character hex strings and one bounce to another one.

Those hex strings really make me wonder. Oh well, spammers are peculiar.

spam/SpamSummary-2006-07-15 written at 02:40:48; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.