Wandering Thoughts archives

2006-04-02

Weekly spam summary on April 1st, 2006

Let's see what sort of April Fools joke the spammers have been having this week. This week, we:

  • got 14,298 messages from 221 different IP addresses.
  • handled 18,642 sessions from 966 different IP addresses.
  • received 153,366 connections from at least 49,555 different IP addresses.
  • hit a highwater of 17 connections being checked at once.

Connection volume is up from last week, but session volume is down somewhat. That's got a simple meaning: more spammers being dumped at connection time. The per day table runs:

Day Connections different IPs
Sunday 21,525 +9,017
Monday 21,430 +7,776
Tuesday 27,890 +6,457
Wednesday 23,531 +5,822
Thursday 19,097 +6,309
Friday 19,609 +7,180
Saturday 20,284 +6,994

Conclusion: the spam attack from last week is continuing, with a spike Tuesday for some reason. It would be handy if the spammer show came with a program guide.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
193.70.192.0/24       16183    730K
212.216.176.0/24       7320    365K
61.128.0.0/10          5531    287K
209.94.102.72          4599    234K
211.136.0.0/14         4123    247K
168.243.89.68          2699    162K
218.0.0.0/11           2255    113K
221.216.0.0/13         2247    114K
219.238.168.124        2112    101K
24.13.143.139          2042   98016

Continuing the trend from last week, libero.it and tin.it really tried to dump a lot of stuff on us (they're the top two entries on the list).

  • 209.94.102.72 was blocked for hitting spamtraps and then keeping on sending us spammy-looking stuff.
  • 168.243.89.68 is a San Salvador based IP address with bad reverse DNS.
  • 219.238.168.124 returns from last week.
  • 24.13.143.139 is a Comcast cablemodem, and is listed in a number of DNS blocklists (including bl.spamcop.net).

Connection time rejection stats:

  36261 total
  19955 dynamic IP
  11044 bad or no reverse DNS
   3677 class bl-cbl
    270 class bl-dsbl
    249 class bl-ordb
    232 class bl-sbl
    137 class bl-sdul
    105 class bl-njabl
     83 fairgamemail.us 
     67 class bl-spews
     38 SKYLIST INC 69.56.0.0/18
     22 class bl-opm

Unlike last week, this week fairgamemail.us is trying to spam us from two netblocks. They hit us from both 209.124.72.0/24 and the new 204.14.1.0/24, under 'VX Commit, LLC', 204.14.0.0/21. VX Comit LLC's entire /21 is in the SBL as SBL27197; according to the listing they are also known as '247 Surf Net'.

Out of the top 30 most rejected IP addresses, three were rejected 100 times or more. The most prolific was 64.71.157.243 (in the SBL as part of SBL39167), rejected 139 times. Twelve of the top 30 are currently in the CBL, nine are currently in bl.spamcop.net, and only the one is currently in the SBL.

Other numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 654 66 714 68
Bad bounces 98 81 108 85

I can take some comfort that these are low, and there are relatively few IP addresses involved. By this point, a certain amount of bad bounces are probably just the inevitable background noise of the Internet, much like ssh brute force scans.

And finally the Hotmail numbers:

  • 12 messages accepted; shockingly, these were all legitimate.
  • 1 message rejected because it came from a non-Hotmail email address.
  • 19 messages sent to our spamtraps.
  • 13 messages refused because their sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (2 for being in the SBL, 1 for being in the CBL, one from SAIX, one from Ghana).

The SBL rejections are for the same IP address, 62.59.40.138, which is SBL33051. It was one of the ones that hit us last week, as recounted in my revised Hotmail stats. I'm not very happy that it can still spew advance fee fraud spam through Hotmail.

(Don't get too enthused at 12 legitimate emails from Hotmail; 11 of them were from one person.)

spam/SpamSummary-2006-04-01 written at 04:09:43;


Page tools: See As Normal.
Search:
Login: Password:

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.