2006-04-02
Weekly spam summary on April 1st, 2006
Let's see what sort of April Fools joke the spammers have been having this week. This week, we:
- got 14,298 messages from 221 different IP addresses.
- handled 18,642 sessions from 966 different IP addresses.
- received 153,366 connections from at least 49,555 different IP addresses.
- hit a highwater of 17 connections being checked at once.
Connection volume is up from last week, but session volume is down somewhat. That's got a simple meaning: more spammers being dumped at connection time. The per day table runs:
Day | Connections | different IPs |
Sunday | 21,525 | +9,017 |
Monday | 21,430 | +7,776 |
Tuesday | 27,890 | +6,457 |
Wednesday | 23,531 | +5,822 |
Thursday | 19,097 | +6,309 |
Friday | 19,609 | +7,180 |
Saturday | 20,284 | +6,994 |
Conclusion: the spam attack from last week is continuing, with a spike Tuesday for some reason. It would be handy if the spammer show came with a program guide.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 193.70.192.0/24 16183 730K 212.216.176.0/24 7320 365K 61.128.0.0/10 5531 287K 209.94.102.72 4599 234K 211.136.0.0/14 4123 247K 168.243.89.68 2699 162K 218.0.0.0/11 2255 113K 221.216.0.0/13 2247 114K 219.238.168.124 2112 101K 24.13.143.139 2042 98016
Continuing the trend from last week, libero.it
and tin.it
really tried to dump a lot of stuff on us (they're the top two
entries on the list).
- 209.94.102.72 was blocked for hitting spamtraps and then keeping on sending us spammy-looking stuff.
- 168.243.89.68 is a San Salvador based IP address with bad reverse DNS.
- 219.238.168.124 returns from last week.
- 24.13.143.139 is a Comcast cablemodem, and is listed in a number
of DNS blocklists (including
bl.spamcop.net
).
Connection time rejection stats:
36261 total 19955 dynamic IP 11044 bad or no reverse DNS 3677 class bl-cbl 270 class bl-dsbl 249 class bl-ordb 232 class bl-sbl 137 class bl-sdul 105 class bl-njabl 83 fairgamemail.us 67 class bl-spews 38 SKYLIST INC 69.56.0.0/18 22 class bl-opm
Unlike last week, this week fairgamemail.us
is trying
to spam us from two netblocks. They hit us from both
209.124.72.0/24 and the new 204.14.1.0/24, under 'VX Commit, LLC',
204.14.0.0/21. VX Comit LLC's entire /21 is in the SBL as SBL27197; according to the
listing they are also known as '247 Surf Net'.
Out of the top 30 most rejected IP addresses, three were rejected
100 times or more. The most prolific was 64.71.157.243 (in
the SBL as part of SBL39167), rejected
139 times. Twelve of the top 30 are currently in the CBL, nine
are currently in bl.spamcop.net
, and only the one is currently
in the SBL.
Other numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
654 | 66 | 714 | 68 |
Bad bounces | 98 | 81 | 108 | 85 |
I can take some comfort that these are low, and there are relatively few IP addresses involved. By this point, a certain amount of bad bounces are probably just the inevitable background noise of the Internet, much like ssh brute force scans.
And finally the Hotmail numbers:
- 12 messages accepted; shockingly, these were all legitimate.
- 1 message rejected because it came from a non-Hotmail email address.
- 19 messages sent to our spamtraps.
- 13 messages refused because their sender addresses had already hit our spamtraps.
- 5 messages refused due to their origin IP address (2 for being in the SBL, 1 for being in the CBL, one from SAIX, one from Ghana).
The SBL rejections are for the same IP address, 62.59.40.138, which is SBL33051. It was one of the ones that hit us last week, as recounted in my revised Hotmail stats. I'm not very happy that it can still spew advance fee fraud spam through Hotmail.
(Don't get too enthused at 12 legitimate emails from Hotmail; 11 of them were from one person.)