Wandering Thoughts archives

2006-03-19

Weekly spam summary on March 18th, 2006

The basic volume numbers are that this week, we:

  • got 13,909 messages from 248 different IP addresses.
  • handled 18,580 sessions from 927 different IP addresses.
  • received 195,437 connections from at least 36,864 different IP addresses.
  • hit a highwater of 16 connections being checked at once.

These are mostly down from last week, although not as much as I would like to see. Again, the per day table is interesting:

Day Connections different IPs
Sunday 15,795 +5,407
Monday 93,939 +6,200
Tuesday 17,929 +5,280
Wednesday 14,369 +3,596
Thursday 15,219 +3,898
Friday 21,460 +6,363
Saturday 16,726 +6,120

Clearly some people really lit us up on Monday (probably a few very aggressive sources, since the number of different IPs only jumped by a bit over the usual).

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
66.235.205.240        10562    513K
82.107.127.75          6375    366K
212.216.176.0/24       4705    239K
204.202.11.132         4200    207K
219.238.168.124        4020    193K
61.128.0.0/10          2434    124K
63.215.91.194          2102    125K
210.213.126.197        1930   92640
209.163.128.138        1876   87543
80.190.233.48          1723    103K

This week is an active one for individual IPs, going back to the days when they dominated the top ten.

  • 66.235.205.240 aka the spammer 'save-mihaita.org' reappears from last week. Maybe they've finally given up and gone away.
  • also reappears from last week.
  • also reappearing from before are 82.107.127.75 (from last week), 80.190.233.48 (from last December), and 80.190.233.48 (from the week before last).
  • 204.202.11.132 is another 'support@apaypal.com' spam emitter, and got blocked for that.
  • 63.215.91.194 is SPEWS-listed, and on bl.spamcop.net so I suspect we're not missing much. (Some Googling suggests that it's spewing advance fee fraud spam at a decent clip.)
  • 210.213.126.197 is a Philippines IP address without good reverse DNS.
  • 209.163.128.138 smells too much like a twtelecom.net 'dialup' dynamic IP address to us. Unfortunately I suspect that 'gen.twtelecom.net' is used by both dynamic-IP customers and static IP businesses, so we may have to stop blocking it someday.

(I hate ISPs who mix-master dynamic customers with static customers. I also hate ISPs that use generic reverse DNS even for static business IP addresses.)

Connection time rejection stats:

  24495 total
  12785 dynamic IP
   7698 bad or no reverse DNS
   2519 class bl-cbl
    323 class bl-ordb
    174 SKYLIST INC 69.56.0.0/18
    161 class bl-dsbl
    129 class bl-spews
    127 dartmail.net
    102 class bl-sbl
     68 class bl-sdul
     63 class bl-njabl
     23 class bl-opm

I talked about Skylist last week; some Googling (especially in Google Groups) will likely show why we block dartmail.net. This week there were three IP addresses that were refused 100 times or more; 201.37.172.229 (155 times) and 67.153.94.227 and 201.124.113.154 (121 times each). Seven of the top 30 most refused IP addresses are currently in the CBL, four are currently in bl.spamcop.net, and none are in the SBL.

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 782 85 1121 68
Bad bounces 118 101 111 88

And finally the Hotmail numbers, because they continue to be pretty good:

  • 2 messages accepted; they might even be legitimate ones this time around.
  • 1 message rejected because it came from a non-Hotmail email address.
  • 27 messages sent to our spamtraps.
  • 10 messages refused because their sender addresses had already hit our spamtraps.
  • 3 messages refused due to their origin IP address (two for being in the CBL and one from Benin).

I'm not completely happy with all these and I'm wary about Hotmail backsliding (again), but I do now have a certain amount of measured hope. Hotmail may actually be taking spam seriously this time around (for however long it lasts before the next change in management priorities).

spam/SpamSummary-2006-03-18 written at 02:23:38; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.