Wandering Thoughts archives


Weekly spam summary on April 1st, 2006

Let's see what sort of April Fools joke the spammers have been having this week. This week, we:

  • got 14,298 messages from 221 different IP addresses.
  • handled 18,642 sessions from 966 different IP addresses.
  • received 153,366 connections from at least 49,555 different IP addresses.
  • hit a highwater of 17 connections being checked at once.

Connection volume is up from last week, but session volume is down somewhat. That's got a simple meaning: more spammers being dumped at connection time. The per day table runs:

Day Connections different IPs
Sunday 21,525 +9,017
Monday 21,430 +7,776
Tuesday 27,890 +6,457
Wednesday 23,531 +5,822
Thursday 19,097 +6,309
Friday 19,609 +7,180
Saturday 20,284 +6,994

Conclusion: the spam attack from last week is continuing, with a spike Tuesday for some reason. It would be handy if the spammer show came with a program guide.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes       16183    730K       7320    365K          5531    287K          4599    234K         4123    247K          2699    162K           2255    113K         2247    114K        2112    101K          2042   98016

Continuing the trend from last week, libero.it and tin.it really tried to dump a lot of stuff on us (they're the top two entries on the list).

  • was blocked for hitting spamtraps and then keeping on sending us spammy-looking stuff.
  • is a San Salvador based IP address with bad reverse DNS.
  • returns from last week.
  • is a Comcast cablemodem, and is listed in a number of DNS blocklists (including bl.spamcop.net).

Connection time rejection stats:

  36261 total
  19955 dynamic IP
  11044 bad or no reverse DNS
   3677 class bl-cbl
    270 class bl-dsbl
    249 class bl-ordb
    232 class bl-sbl
    137 class bl-sdul
    105 class bl-njabl
     83 fairgamemail.us 
     67 class bl-spews
     22 class bl-opm

Unlike last week, this week fairgamemail.us is trying to spam us from two netblocks. They hit us from both and the new, under 'VX Commit, LLC', VX Comit LLC's entire /21 is in the SBL as SBL27197; according to the listing they are also known as '247 Surf Net'.

Out of the top 30 most rejected IP addresses, three were rejected 100 times or more. The most prolific was (in the SBL as part of SBL39167), rejected 139 times. Twelve of the top 30 are currently in the CBL, nine are currently in bl.spamcop.net, and only the one is currently in the SBL.

Other numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 654 66 714 68
Bad bounces 98 81 108 85

I can take some comfort that these are low, and there are relatively few IP addresses involved. By this point, a certain amount of bad bounces are probably just the inevitable background noise of the Internet, much like ssh brute force scans.

And finally the Hotmail numbers:

  • 12 messages accepted; shockingly, these were all legitimate.
  • 1 message rejected because it came from a non-Hotmail email address.
  • 19 messages sent to our spamtraps.
  • 13 messages refused because their sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (2 for being in the SBL, 1 for being in the CBL, one from SAIX, one from Ghana).

The SBL rejections are for the same IP address,, which is SBL33051. It was one of the ones that hit us last week, as recounted in my revised Hotmail stats. I'm not very happy that it can still spew advance fee fraud spam through Hotmail.

(Don't get too enthused at 12 legitimate emails from Hotmail; 11 of them were from one person.)

spam/SpamSummary-2006-04-01 written at 04:09:43; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.