Wandering Thoughts archives

2007-06-09

SpamSummary-2007-06-09

Weekly spam summary on June 9th, 2007

This week, we:

  • got 13,047 messages from 274 different IP addresses.
  • handled 19,786 sessions from 1,500 different IP addresses.
  • received 255,420 connections from at least 71,636 different IP addresses.
  • hit a highwater of 12 connections being checked at once.

The volume is down compared to last week and probably down overall, although not by much. The count of different IP addresses is up a little bit, for what that's worth.

Day Connections different IPs
Sunday 77,507 +10,880
Monday 31,169 +11,486
Tuesday 31,949 +11,151
Wednesday 29,512 +10,089
Thursday 29,405 +9,629
Friday 33,665 +11,087
Saturday 22,213 +7,314

The per day breakdown shows the influence of 213.223.200.15 again; after the Sunday morning reboot that flushed the kernel block table it promptly started hitting us again. It is now in our permanent blocklist, so that won't happen again.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          40939   2127K
213.4.149.11          24524   1274K
205.152.59.0/24       23960   1086K bellsouth.net
68.230.240.0/23       23875   1159K cox.net
68.168.78.0/24        14588    700K adelphia.net
204.202.23.184        13339    658K
213.29.7.0/24          8660    518K centrum.cz
204.200.195.201        7180    354K
67.94.63.178           4287    200K
212.216.176.0/24       3431    165K tin.it

The volume here is significantly up compared to last week, led by some extremely prolific sources.

  • 213.4.149.11 and 213.4.149.12 are both terra.es machines with bad HELO names; the former most recently appeared back in December 2005, while the latter returns from last week.
  • 204.202.23.184 kept trying to send phish spam email, and we saw it before in February when it was trying the same thing.
  • 204.200.195.201 is another place that kept trying to send phish spam.
  • 67.94.63.178 kept trying with a bad HELO.

Connection time rejection stats:

  55161 total
  28121 dynamic IP
  20708 bad or no reverse DNS
   4676 class bl-cbl
    424 qsnews.net
    230 class bl-pbl
    188 class bl-dsbl
    119 class bl-njabl
    110 acceleratebiz.com
     79 class bl-sbl
     73 class bl-sdul

The highest source of SBL rejections this week was SBL53722 with 37 rejections. This is an April 19th listing for cavtel.net's outgoing webmail server, listed due to it being used for advance fee fraud spam.

Three of the top 30 most rejected IP addresses were rejected 100 times or more this week; in the lead is 200.121.167.142 with 347 rejections, blocked for bad reverse DNS and also listed in the CBL. Closely following it is 216.213.172.8 with 343 rejections, which a qsnews.net machine. Twelve of the top 30 are currently in the CBL, fifteen are currently in bl.spamcop.net, thirteen are in the PBL, and a grand total of twenty one are in zen.spamhaus.org.

(Locally, 17 were rejected for being dynamic IPs, 10 for having bad or missing reverse DNS, 2 for being qsnews.net, and 1 for being in the DSBL.)

This week, Hotmail had:

  • 3 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 38 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one in the CBL and one from Cote d'Ivoire).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1232 128 1369 142
Bad bounces 312 177 349 187

This is an improvement over last week, but only a marginal one. The leading source of bad HELOs this week was 67.92.184.162 with 105 rejections for a HELO name ending in .local. (I see a lot of bad HELOs ending in .local for some reason.)

Bad bounces were sent to 237 different bad usernames this week, with the most popular by far being EllisHyatt (47 attempts). A surprising number of usernames like that were hit twice this week; while that username pattern continues to be the most popular, various all lower case usernames made a reasonably strong showing. I suspect that they are valid usernames somewhere, because they're all over the map in what form they use, ranging from wada_katsu to mitsu-com to mottetqdd and whitesnows.

Just like last week, the single largest point source of bad bounces was w3.org. Various other places, including ezweb.ne.jp, Verizon, and Earthlink threw in decent contributions. The remaining bad bounces came from all over.

spam/SpamSummary-2007-06-09 written at 23:40:37; Add Comment

These are my WanderingThoughts
(About the blog)

GettingAround
Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Atom feeds are available; see the bottom of most pages.

This is a DWiki.
(Help)

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

Search:
(Previous day | Next day)
By day for June 2007: 1 2 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 22 23 25 26 27 28 29 30; before June; after June.
Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.