Wandering Thoughts archives

2006-02-05

Weekly spam summary on February 4th, 2006

Hotmail seems to be shuffling its numbers around significantly this week, to my surprise. I'm not sure the result is really better, but it's certainly different:

  • 4 email messages accepted from Hotmail, although 3 of them look a lot like typical advance fee fraud spam Hotmail addresses.
  • only 79 messages rejected because they came from non-Hotmail email addresses.
  • 138 messages sent to our spamtraps.
  • 27 messages refused because their sender addresses had already hit our spamtraps.
  • 20 messages refused due to their origin IP address (9 for being in the SBL, then a wide assortment I'm too lazy to break down in detail).

Everything is up except the non-Hotmail email address rejections, which have cratered. Maybe spammers have decided to give up on them and restrict themselves to strictly Hotmail addresses? Who knows.

The basic stats:

  • got 14,233 email messages from 230 different IP addresses.
  • handled 17,694 SMTP sessions from 941 different IP addresses.
  • received 130,000 connections from at least 52,159 different IP addresses.
  • only a highwater of 7 pending connections being processed at once.

All of this is just about the same as last week. The per-day table has no interesting fluctuations, so I'm skipping it.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
65.109.239.171         6062    364K
212.216.176.0/24       5540    273K
69.105.51.114          4317    202K
209.9.147.162          3939    236K
218.0.0.0/11           3637    180K
61.128.0.0/10          3598    187K
213.29.7.134           3491    209K
62.69.162.133          2913    163K
209.11.168.39          2582    127K
213.29.7.174           2414    145K

Overall, I'd say the kernel level blocks were a little quieter than last week.

  • 65.109.239.171 and 213.29.7.174 reappear from last week
  • 69.105.51.114 reappears from December 2005, still with an unresolvable HELO name.
  • 209.9.147.162 is in SBL37385.
  • 209.11.168.39 used an unresolvable HELO name.
  • 213.29.7.134 is yet another centrum.cz machine.
  • 62.69.162.133 repeatedly tried to send more mail from something that had tripped our spamtraps.

Connection time rejection stats:

  26458 total
  13291 dynamic IP
   8813 bad or no reverse DNS
   3267 class bl-cbl
    308 class bl-sbl
    133 class bl-dsbl
     70 class bl-njabl
     67 class bl-sdul
     66 class bl-spews
     35 class bl-ordb
      5 class bl-opm

Only one machine really hammered on the frontend this week; 209.9.147.173 made 202 connection attempts before we blocked it harder for being in SBL37385. 17 of the top 30 rejected source IPs are in the CBL this week, three in the SBL (209.9.147.173, plus 222.253.123.194 in SBL36455 and 222.65.153.197 in SBL19307), and 6 are currently in bl.spamcop.net.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 357 36 458 37
Bad bounces 87 55 100 68

There's no really big single source of bad HELOs, unlike last week; 69.105.51.114, at 74 before it went into the kernel blocks, is the highest. At least the numbers are relatively low.

spam/SpamSummary-2006-02-04 written at 01:12:58; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.