Weekly spam summary on August 18th, 2007

This week, we:

• got 12,100 messages from 261 different IP addresses.
• handled 22,629 sessions from 2,180 different IP addresses.
• received 434,144 connections from at least 121,837 different IP addresses.
• hit a highwater of 31 connections being checked at once.

So much for any chance that volume would go down compared to last week. I believe that the higher session volume is at least partly because of compromised spam zombies getting past my relatively weak greylisting precautions.

Day	Connections	different IPs
Sunday	40,431	+15,128
Monday	65,293	+17,229
Tuesday	77,288	+17,074
Wednesday	70,746	+20,302
Thursday	61,045	+17,116
Friday	69,455	+18,689
Saturday	49,886	+16,299

The peak day may be migrating back to Wednesday, but really, all that seems reasonably apparent is that some spammers take weekends off.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          25371   1319K terra.es
68.230.240.0/23       19247    935K cox.net
213.29.7.0/24         17643   1059K centrum.cz
68.168.78.0/24        11520    553K adelphia.net
213.4.149.68           8350    484K
195.238.6.228          7739    371K
61.128.0.0/10          6192    342K China
85.114.132.50          5932    356K
62.94.0.34             4727    212K
200.63.215.74          4568    219K

Volume here is down from last week, and not as many of the usual open webmail suspects have shown up.

• 213.4.149.68 kept trying with a bad HELO; we saw it before in early July.
• 195.238.6.228 returns from late July.
• 85.114.132.50 is SBL52705, although we don't talk to fastwebserver.de anyways.
• 62.94.0.34 is another place we don't talk to because of open webmail; it previously appeared all the way back in December of 2006.
• 200.63.215.74 has bad reverse DNS.

Connection time rejection stats:

 203098 total
  96920 bad or no reverse DNS
  91776 dynamic IP
  10786 class bl-cbl
   1121 class bl-pbl
    264 class bl-sdul
    264 class bl-dsbl
    213 class bl-sbl
    154 dartmail.net
     48 acceleratebiz.com
     46 officepubs.com
     45 67.98.250.0/24
     19 class bl-njabl

This is quite a volume increase over last week, almost all of it in the top four reasons. The highest source of SBL rejections this week is SBL57804, a /18 listed as a 'spam source range', with 66 rejections. Following it is SBL49824 )a /27 listed 27 January) with 21 rejections, and SBL52705 (85.114.132.50) with 19 rejections, and SBL55920 (another advance fee fraud spam source) with 17 rejections.

Eighteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 200.63.215.74 (2,259 rejections), followed by 201.9.243.8 (644 rejections) and 190.65.82.107 (572 rejections). Seventeen of the top 30 are currently in the CBL, seven are currently in bl.spamcop.net, twenty are in the PBL, and a grand total of 26 are in zen.spamhaus.org.

(Locally, 19 were rejected for bad or missing reverse DNS, 10 for being dynamic IP addresses, and one for being in the CBL.)

This week, Hotmail had:

• 2 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 26 messages sent to our spamtraps.
• 1 messages refused because its sender address had already hit our spamtraps.
• 4 messages refused due to their origin IP address (two in the CBL, one from Ghana, and one from the Cote d'Ivoire).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1782	232	1874	176
Bad bounces	339	268	692	487

The leading source of bad HELO attempts this week is 212.15.28.2 (87 attempts), followed by 67.113.162.150 and 64.80.183.134 at 67 attempts each.

Bad bounces were sent to 297 different bad usernames this week, with the most popular one being RalphPlatt with 7 attempts. That bad username pattern staged a resurgence this week, although it is still fighting it out with various other ones like robachan and p886. Interestingly, I am now seeing some names like kostaqHovern with a capital shoved in the middle of the username.