Weekly spam summary on May 6th, 2006

May 7, 2006

This week, we:

  • got 11,443 messages from 213 different IP addresses.
  • handled 15,802 sessions from 820 different IP addresses.
  • received 219,841 connections from at least 43,156 different IP addresses.
  • hit a highwater of 50 connections being checked at once, reaching it Monday.

Connection volume is up significantly from the extrapolated levels of last week. All of this is despite us being down for about half of Sunday, due to a drive failure and needing to fix it. The per day table is very interesting, though:

Day Connections different IPs
Sunday 6,518 +2,602
Monday 22,737 +6,621
Tuesday 19,300 +6,684
Wednesday 23,372 +6,488
Thursday 22,592 +5,987
Friday 22,169 +8,218
Saturday 103,153 +6,556

You can see the Sunday effects, and I have nothing to say about this Saturday except AIEEE. I rather suspect that there is a major spam storm going on at the moment.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
218.189.207.71         6045    290K
212.216.176.0/24       5433    268K
213.253.210.34         4274    205K
213.178.230.131        3284    158K
61.128.0.0/10          2748    136K
222.32.0.0/11          2392    124K
67.138.83.190          2241    108K
213.250.36.13          2193    105K
199.195.71.42          2166    110K
218.0.0.0/11           2045    104K

It's pretty much the week of DNS blocklists:

  • 218.189.207.71 is a Hong Kong IP address with bad reverse DNS.
  • 213.253.210.34 is in the DSBL.
  • 213.178.230.131 and 213.250.36.13 are in the ORDB.
  • 67.138.83.190 is in NJABL.
  • 199.195.71.42 kept hammering on us after attempting delivery to a spamtrap; I suspect it's phish spam from the MAIL FROM address.

(The usual difference is that advance fee fraud spam exploits badly administered webmail systems and so has MAIL FROM addresses that look like individual user names, whereas phish spam exploits insecure web servers and thus has MAIL FROM addresses with usernames like httpd, apache, root, nobody, test, and so on.)

Connection time rejection stats:

  41638 total
  19232 dynamic IP
  18044 bad or no reverse DNS
   2279 class bl-cbl
    481 class bl-njabl
    409 class bl-ordb
    255 class bl-spews
    167 class bl-dsbl
     48 class bl-sdul
     28 class bl-sbl
      3 class bl-opm

In completely unsurprising news (given the spam storm), 24 of the top 30 most rejected IP addresses were rejected more than 100 times; the champion was 218.254.83.47 with 259 rejected connections. 23 of the top 30 are currently in the CBL and 13 of them are currently in bl.spamcop.net.

The Hotmail numbers are at pretty much an all-time low, although they still collect one black eye:

  • No messages accepted.
  • No messages rejected because they came from non-Hotmail email addresses.
  • 3 messages sent to our spamtraps.
  • No messages refused because their sender addresses had already hit our spamtraps.
  • 1 message refused due to its origin IP address being in SBL17935, listed since January 17th, 2006.

Of course Hotmail is still batting zero since no real Hotmail people actually sent us email this week, but at least they're not swinging very much.

And the final set of numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 405 46 346 40
Bad bounces 8 7 29 23

On the bad HELOs front, the most active source was 205.150.71.250, with 100 tries; the next was 217.197.167.34 with only 57. The bad bounces number is completely surprising; at this level, I can actually look at each session. While some of the bounces are to completely bogus user names, some are to what are now spamtrap addresses here. I don't know what this means; have spammers started mining their target lists for MAIL FROMs?

The user name patterns for the bad bounces:

  • last week saw 4 each to id and noreply, 11 more between four spamtraps, then one each to a mix of spamtraps, random sequences like c301ymxlp, and some entirely numeric user names like 72.
  • this week saw 2 to costauvqaagmlp, 4 to spamtraps, one to entranceway, and one to the 38-character hex sequence 8B407639D45C5742ADD3987F7E013C410F82BC.

Conclusion: spammers are strange.

Written on 07 May 2006.
« Using a stock kernel.org kernel on Fedora Core 5
SCGI versus FastCGI »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun May 7 02:42:49 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.