Wandering Thoughts: Recent Entries For 2007/03/17

Weekly spam summary on March 17th, 2007

This week, we:

• got 11,732 messages from 232 different IP addresses.
• handled 18,216 sessions from 1,165 different IP addresses.
• received 189,951 connections from at least 55,941 different IP addresses.
• hit a highwater of 7 connections being checked at once.

This is all down from last week, and I have no explanation for why the messages received count is down so much; it is normally quite stable.

The Sunday count is unnaturally low because we managed to accidentally drop the machine off the network for about eight hours on Sunday (we had a mis-set default route in the configuration files, so when the regular Sunday morning reboot happened the machine dropped off the Internet until we figured out what was going on).

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
206.223.168.238       34311   1882K
68.230.240.0/24       23616   1147K
213.4.149.12          17757    923K
205.152.59.0/24       17549    796K
213.29.7.0/24         12251    735K
213.41.128.40          7368    375K
70.167.3.24            6324    379K
69.15.68.98            6321    296K
211.63.211.245         5964    286K
217.14.208.79          5586    284K

This is significantly up from last week, partly (but not entirely) because of 68.230.240.0/24, which is Cox's outgoing SMTP pool. Cox is yet another US ISP that we don't talk to any more because they got into full bore webmail and thus full bore advance fee fraud spamming, and this week I blocked their /24 early on.

• 206.223.168.238 and 213.4.149.12 return from last week and previous appearances.
• 213.41.128.40, 211.63.211.245, and 217.14.208.79 are all on the DSBL.
• 70.167.3.24 kept trying to send stuff with an origin address that had already tripped our spamtraps.
• 69.15.68.98 kept trying with a bad HELO name; we've seen it before, back in early February.

To follow up something from last week: 64.208.191.0/24 did not hit us at all this week, and thus I am dropping them off my mental radar.

Connection time rejection stats:

  67425 total
  41908 dynamic IP
  17325 bad or no reverse DNS
   6573 class bl-cbl
    299 class bl-dsbl
    245 acceleratebiz.com
    242 class bl-sdul
    159 class bl-pbl
     93 class bl-njabl
     85 cuttingedgemedia.com
     49 class bl-sbl

The highest SBL source this week is SBL43107 (18 hits), the 'Gestour Portal spam source' listing that we've seen before. After that is SBL49248 (9 hits), an advance fee fraud spam source listed 18 December 2006.

Three of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 66.191.255.223 (112 times), a charter.com dynamic IP address of some sort. Twelve of the top 30 are currently in the CBL, 13 are currently in bl.spamcop.net, eight are in the PBL, and a grand total of 16 are in zen.spamhaus.org (which needs a short, punchy name).

This week Hotmail managed:

• 2 messages accepted; I suspect both were spam.
• no messages rejected because they came from non-Hotmail email addresses.
• 36 messages sent to our spamtraps.
• 1 message refused because its sender address had already hit our spamtraps.
• 5 messages refused due to their origin IP address (one in SBL33955 (which dates from 2005), one in SBL47589), one in the CBL, one from the Cote d'Ivoire, and one from Ghana).

And the final numbers:

The numbers on bad bounces have gotten a bit worse, but only a bit. Bad HELOs had no really big sources; the biggest three were 65.120.172.122 (71 tries), 72.54.106.163 (63 tries), and 74.62.160.114 (50 tries).

One machine contributed more than half of the bad bounces this week; 72.37.163.14 tried to send seven bounces to a single bad username. Bad bounces were sent to 6 different usernames this week, all of them ex-users. One ex-user got eight bounces; all the others got one each.