Weekly spam summary on April 1st, 2006
Let's see what sort of April Fools joke the spammers have been having this week. This week, we:
- got 14,298 messages from 221 different IP addresses.
- handled 18,642 sessions from 966 different IP addresses.
- received 153,366 connections from at least 49,555 different IP addresses.
- hit a highwater of 17 connections being checked at once.
Connection volume is up from last week, but session volume is down somewhat. That's got a simple meaning: more spammers being dumped at connection time. The per day table runs:
Conclusion: the spam attack from last week is continuing, with a spike Tuesday for some reason. It would be handy if the spammer show came with a program guide.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52/24 16183 730K 184.108.40.206/24 7320 365K 220.127.116.11/10 5531 287K 18.104.22.168 4599 234K 22.214.171.124/14 4123 247K 126.96.36.199 2699 162K 188.8.131.52/11 2255 113K 184.108.40.206/13 2247 114K 220.127.116.11 2112 101K 18.104.22.168 2042 98016
Continuing the trend from last week,
really tried to dump a lot of stuff on us (they're the top two
entries on the list).
- 22.214.171.124 was blocked for hitting spamtraps and then keeping on sending us spammy-looking stuff.
- 126.96.36.199 is a San Salvador based IP address with bad reverse DNS.
- 188.8.131.52 returns from last week.
- 184.108.40.206 is a Comcast cablemodem, and is listed in a number
of DNS blocklists (including
Connection time rejection stats:
36261 total 19955 dynamic IP 11044 bad or no reverse DNS 3677 class bl-cbl 270 class bl-dsbl 249 class bl-ordb 232 class bl-sbl 137 class bl-sdul 105 class bl-njabl 83 fairgamemail.us 67 class bl-spews 38 SKYLIST INC 220.127.116.11/18 22 class bl-opm
Unlike last week, this week
fairgamemail.us is trying
to spam us from two netblocks. They hit us from both
18.104.22.168/24 and the new 22.214.171.124/24, under 'VX Commit, LLC',
126.96.36.199/21. VX Comit LLC's entire /21 is in the SBL as SBL27197; according to the
listing they are also known as '247 Surf Net'.
Out of the top 30 most rejected IP addresses, three were rejected
100 times or more. The most prolific was 188.8.131.52 (in
the SBL as part of SBL39167), rejected
139 times. Twelve of the top 30 are currently in the CBL, nine
are currently in
bl.spamcop.net, and only the one is currently
in the SBL.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I can take some comfort that these are low, and there are relatively few IP addresses involved. By this point, a certain amount of bad bounces are probably just the inevitable background noise of the Internet, much like ssh brute force scans.
And finally the Hotmail numbers:
- 12 messages accepted; shockingly, these were all legitimate.
- 1 message rejected because it came from a non-Hotmail email address.
- 19 messages sent to our spamtraps.
- 13 messages refused because their sender addresses had already hit our spamtraps.
- 5 messages refused due to their origin IP address (2 for being in the SBL, 1 for being in the CBL, one from SAIX, one from Ghana).
The SBL rejections are for the same IP address, 184.108.40.206, which is SBL33051. It was one of the ones that hit us last week, as recounted in my revised Hotmail stats. I'm not very happy that it can still spew advance fee fraud spam through Hotmail.
(Don't get too enthused at 12 legitimate emails from Hotmail; 11 of them were from one person.)