Wandering Thoughts: Recent Entries For 2007/06/30

Weekly spam summary on June 30th, 2007

This week, we:

• got 10,108 messages from 265 different IP addresses.
• handled 22,107 sessions from 2,055 different IP addresses.
• received 271,991 connections from at least 75,816 different IP addresses.
• hit a highwater of 13 connections being checked at once.

Volume is definitely up from last week. As the per day table illustrates, spammers seem to still prefer Wednesday for their big day:

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          48724   2534K
205.152.59.0/24       18437    836K bellsouth.net
206.123.109.0/27      17088    944K otcpicknews.com
68.230.240.0/23       16148    784K cox.net
68.167.174.246        12468    584K
199.239.248.157       11273    556K
68.168.78.0/24        10395    499K adelphia.net
64.191.86.69           5511    331K
208.108.197.97         4850    266K
209.16.79.66           4122    198K

Here too volume is up from last week, although not as much.

• 213.4.149.12 returns from last week and many prior appearances, once again showing no signs of giving up.
• 68.167.174.246 also returns from last week. As it happens, they appear to be 'thegrantinstitute.com' (according to their SMTP banner), which is someone we don't want to talk to anyways.
• 199.239.248.157 kept trying to send us phish spam.
• 64.191.86.69 is in hostnoc.net space and doesn't have working reverse DNS.
• 208.108.197.97 kept trying to send mail with an origin address that had already tripped our spamtraps.
• 209.16.79.66 kept trying a bad HELO.

Connection time rejection stats:

  85848 total
  48063 bad or no reverse DNS
  30626 dynamic IP
   5052 class bl-cbl
    318 class bl-pbl
    249 qsnews.net
    164 dartmail.net
    110 class bl-dsbl
     96 class bl-sdul
     85 class bl-sbl
     42 216.75.6.0/24
     30 class bl-njabl

The highest source of SBL rejections this week was technically 200.221.11.147 with 16 rejections, but their SBL record has already been removed; since this is zipmail.com.br, I will speculate wildly that they were listed for sourcing lots of advance fee fraud spam, which is certainly why we don't talk to them. After that was SBL56008 with 13 rejections and SBL53722 with 10 rejections; both of them seem to have been listed as advance fee fraud spam sources.

Nine of the top 30 most rejected IP addresses were rejected 100 times or more; the champion is 202.61.62.248 (1,296 rejections), followed by 202.196.43.168 (750 rejections), 189.130.216.253 (437 rejections, bad), 189.130.216.241 (362 rejections), and 189.130.216.208 (178 rejections). All of them were rejected for bad or missing reverse DNS, but except for 202.196.43.168, of them are also on either or both of the CBL and the PBL.

Thirteen of the top 30 are currently in the CBL, two are in the SBL (in SBL55457 and SBL52160, which is a depressing March 22nd listing of a Chinese /18 for spammer hosting), five are currently in bl.spamcop.net, eleven are in the PBL, and a grand total of 17 are in zen.spamhaus.org.

(Locally, 22 were rejected for bad or missing reverse DNS, 4 for being dynamic IPs, and 4 for being various people we don't want to talk to.)

This week, Hotmail had:

• 5 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 39 messages sent to our spamtraps.
• 3 messages refused because their sender addresses had already hit our spamtraps.
• 13 messages refused due to their origin IP address (eight in the CBL, two in SBL21128, one in SBL47233, one from Nigeria, and one from Burkina Faso).

And the final numbers:

Things got bad this week. While I expected to find a big source or two of bad HELOs, the leading source this week was 66.55.8.242 with only 132 attempts, followed by 71.35.254.126 (83). Apparently there were just more people this week in the 30 to 60 attempts range.

Bad bounces were sent to 276 different bad usernames this week, with the most popular one by far being jtpnu with 130 attempts, followed by hvd with 68, pnu with 61, tpnu with 58, dnwga with 35, and vdnw with 31. Various patterns show up, including a surprising number that look Japanese, and to be generic there was a fred and a hello-everybody (along with a few ex-users).