Wandering Thoughts: Recent Entries For 2006/08/12

Weekly spam summary on August 12th, 2006

This week, we:

• got 12,152 messages from 212 different IP addresses.
• handled 16,255 sessions from 790 different IP addresses.
• received 124,287 connections from at least 41,964 different IP addresses.
• hit a highwater of 6 connections being checked at once.

This is down from last week. I don't expect it to stay that way, although I can hope that spammers take August vacations too. Speaking of vacations, the per day table is interesting this week:

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
204.200.222.245       10466    516K
213.4.149.12           8151    424K
204.200.195.72         7544    372K
210.245.60.162         7294    322K
217.224.0.0/13         3555    171K
62.212.90.203          3374    167K
200.46.151.14          3193    149K
61.128.0.0/10          3079    154K
80.128.0.0/12          3037    154K
195.39.69.48           2688    161K

Although the high is lower, overall this is up from last week.

• 204.200.222.245 and 204.200.195.72 got blocked for hammering on us with stuff that had already hit spamtraps, probably phish spam.
• 213.4.149.12 (bad HELO), 210.245.60.162 (bad reverse DNS), and 62.212.90.203 (bad reverse DNS) return from last week.
• 200.46.151.14 is an IP address in Panama without reverse DNS.

Connection time rejection stats:

  31230 total
  13988 bad or no reverse DNS
  13858 dynamic IP
   2242 class bl-cbl
    204 class bl-njabl
    147 class bl-sbl
    141 class bl-sdul
     95 class bl-dsbl
     77 class bl-ordb
     18 class bl-spews

I am starting to get curious about why the NJABL is such a consistent good performer for us. (Admittedly it is not by much compared to the CBL, but still.)

Only three out of the top 30 most rejected IP addresses were refused more than 100 times this week; the winner is 69.244.42.28 (135 rejections, a Comcast cablemodem that is on a lot of DNSbls). 24 of the top 30 are currently in the CBL, 8 are currently in bl.spamcop.net, and one is in the SBL.

The one in the SBL appears to be a genuine spammer: 208.32.133.155, 'Cutting Edge Media', SBL45150 (which lists the entire /24). It provided 61 of the SBL hits this week; the big other contributors are 194.165.130.93 (22 hits, SBL43698, caught scanning for vulnerable webforms that spammers exploit), 194.85.87.50 (13 hits, SBL41338, spam source), and 208.32.133.156 (11 hits, also Cutting Edge Media and SBL45150).

Hotmail slid right downhill this week:

• 1 message accepted, and it was almost certainly spam.
• 8 messages rejected because they came from non-Hotmail email addresses.
• 15 messages sent to our spamtraps.
• 4 messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one for being SBL42606, and 196.207.1.214 for being in the CBL (among other problems)).

I'm not impressed.

And the final numbers:

And another week closes without any bounces trying to go to those mysterious 38-character hex strings.