Wandering Thoughts archives

2006-06-04

Weekly spam summary on June 3rd, 2006

This week, we:

  • got 11,560 messages from 225 different IP addresses.
  • handled 16,969 sessions from 1005 different IP addresses.
  • received 135,139 connections from at least 46,180 different IP addresses.
  • hit a highwater of 12 connections being checked at once.

Apart from slightly higher numbers of IP addresses talking to us this week, this is a clone of last week's numbers. Since the per day volume fluctuated, I'll include the table this week:

Day Connections different IPs
Sunday 14,968 +6,360
Monday 22,460 +6,890
Tuesday 20,133 +6,642
Wednesday 21,142 +7,553
Thursday 17,879 +5,624
Friday 20,882 +7,370
Saturday 17,675 +5,741

This isn't a major fluctuation as those go; clearly things are a bit random. (Perhaps one day I will add deliveries by day to this table, although it's harder to construct.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
65.126.217.71         17288    879K
218.254.83.47          7490    360K
66.58.176.187          5555    283K
198.187.200.0/24       5080    305K
61.128.0.0/10          4282    214K
218.0.0.0/11           4014    200K
212.216.176.0/24       3588    183K
220.160.0.0/11         3413    171K
213.177.135.32         2800    134K
63.252.170.25          2629    123K

Overall this seems quieter than last week, although there's one obvious huge exception.

  • 65.126.217.71 is a QWEST IP address that kept HELO'ing as 'yinyang', with no domain name or anything. Declined.
  • 218.254.83.47 and 66.58.176.187 return from last week, evidently still not done yet.
  • 213.177.135.32 and 63.252.170.25 are CBL-listed and gave us bad HELO names on top of it.

198.187.200.0/24 is an outdated and now erroneous listing I just noticed now. Whoops. (See, there's more than one reason for me to do these summaries. Finding such outdated listings is one of those generic problems, partly because I never built an infrastructure to manage it all when I set these things up.)

Connection time rejection stats:

  44525 total
  21085 bad or no reverse DNS
  19378 dynamic IP
   2400 class bl-cbl
    322 class bl-sdul
    233 class bl-dsbl
    153 class bl-spews
    142 class bl-sbl
    131 class bl-njabl
     68 class bl-ordb

Rejections are up on last week, and more than I'd expect from the slight overall traffic growth. 24 of the top 30 most rejected IP addresses had more than 100 rejections, with the champion being 64.191.63.117 (382 times); our friend 218.254.83.47 is the runner up with 379 rejections. 24 of the top 30 are currently in the CBL and 10 are currently in bl.spamcop.net.

Hotmail stats are low but not groovy:

  • no messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 10 messages sent to our spamtraps.
  • 1 message refused because its sender address had already hit our spamtraps.
  • 1 message refused due to its origin IP address being part of Gilat-Satcom.

Meanwhile Yahoo continues to slap us with the spam trout, although I have yet to write a script to generate numbers for how badly.

The last set of numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 288 69 462 64
Bad bounces 27 23 18 16

Once again there were several bounces to our friend the 38-digit hex string, plus to a number of real (ex) usernames, plus random ones. The new pattern this week is bounces to all-digit usernames of various lengths, ranging from 03 to 41291175.

spam/SpamSummary-2006-06-03 written at 02:14:26; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.