Wandering Thoughts archives

2006-04-16

Weekly spam summary on April 15th, 2006

This week, we:

  • got 12,120 messages from 254 different IP addresses.
  • handled 17,527 sessions from 926 different IP addresses.
  • received 119,314 connections from at least 38,574 different IP addresses.
  • hit a highwater of 17 connections being checked at once.

Volume is way down from last week; in fact it's back to the level I consider fairly quiet (although this volume still has a lot of spam in it). The per day table is not too interesting, except that it shows that last week's Saturday was clearly just the tail off of the huge Friday spike:

Day Connections different IPs
Sunday 17,719 +7,170
Monday 23,928 +6,979
Tuesday 17,543 +5,988
Wednesday 15,999 +4,026
Thursday 14,410 +4,495
Friday 15,791 +5,077
Saturday 13,924 +4,839

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
193.70.192.0/24       19724    889K
204.2.106.228          5040    249K
212.216.176.0/24       4805    241K
61.128.0.0/10          4609    245K
80.25.131.71           4159    235K
222.146.58.254         3225    159K
80.190.233.48          2801    168K
68.167.80.52           2723    127K
80.37.150.139          2395    144K
218.0.0.0/11           2243    116K

This is a lot like last week, with the exception that iol.it's and libero.it's mail servers in 193.70.192.0/24 seem to be trying very hard to win some sort of dubious prize. (Based on spam I got on other machines this week, I suspect it's mostly libero.it.)

  • 204.2.106.228 and 222.146.58.254 repeatedly tried to send us 'phish' spam.
  • 80.25.131.71 reappears from last week. It's still a rima-tde.net dialup-oid machine with a far too generic DNS name. This week it got itself into the SBL for being a phish source, as SBL40228.
  • 80.37.150.139 is another generic dialup-oid rima-tde.net machine.
  • 80.190.233.48 hasn't improved their DNS from the last time we saw them.
  • 68.167.80.52 is a 'dialup' covad.net machine, with a generic DNS name.

Connection time rejection stats:

  29379 total
  13606 dynamic IP
  12012 bad or no reverse DNS
   2556 class bl-cbl
    144 class bl-dsbl
    134 class bl-sdul
    127 class bl-ordb
    101 class bl-sbl
     50 class bl-njabl
     43 class bl-spews
      8 class bl-opm

Finally Skylist Inc hosted people have gotten the hint and gone away, although they were pretty quiet last week too. I'm a bit surprised that the 'dynamic IP' category has dropped significantly, almost level with bad/missing reverse DNS.

Out of the top 30 most rejected IP addresses, only one tried it more than 100 times: 83.9.215.189, a adsl.tpnet.pl machine, tried 141 times. Fifteen of the top 30 are currently in the CBL (including 83.9.215.189), eight are currently in bl.spamcop.net, and one is in the SBL (our friend 80.25.131.71, in SBL40228).

The Hotmail numbers are even better than last week, and I've read reports in NANAE from other people that have been seeing the same thing. At this rate I may have to drop this report because it's too boring. This week:

  • 14 messages accepted, from a wide variety of addresses this time around because we had a system event that led to quite a few students emailing us.
  • 2 messages rejected because they came from non-Hotmail email addresses.
  • no messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one in the CBL, one from Gilat Satcom).

Of course, Hotmail's problems are not over, seeing as how one of the rejected emails was from a user called 'masmegamilottery9'. Um, Hotmail, are you paying attention here?

And the final set of numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 709 63 872 79
Bad bounces 70 53 92 66

I could be optimistic about a slight drop, but why bother? I'd just have to be gloomy next week (or the week after, or whenever).

spam/SpamSummary-2006-04-15 written at 02:41:39; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.