2006-06-25
Weekly spam summary on June 24th, 2006
This week, we:
- got 13,681 messages from 253 different IP addresses.
- handled 18,870 sessions from 835 different IP addresses.
- received 303,478 connections from at least 47,309 different IP addresses.
- hit a highwater of 7 connections being checked at once.
Connection volume is majorly up from last week; other numbers are up slightly, except the highwater (which is down). The per day table:
| Day | Connections | different IPs |
| Sunday | 63,522 | +7,971 |
| Monday | 143,435 | +6,640 |
| Tuesday | 21,068 | +6,387 |
| Wednesday | 21,889 | +7,733 |
| Thursday | 21,137 | +6,998 |
| Friday | 17,960 | +6,695 |
| Saturday | 14,467 | +4,885 |
The spam storm from last Saturday evidently continued through Sunday and Monday, although apparently not from all that many IP addresses.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 204.202.15.180 11580 571K 199.239.233.177 8647 427K 198.66.222.20 8280 408K 61.128.0.0/10 5559 277K 218.0.0.0/11 5172 257K 212.216.176.0/24 4954 249K 204.202.9.161 4556 225K 70.229.186.3 4259 199K 220.160.0.0/11 3687 182K 219.128.0.0/12 2823 140K
This is down from the levels of last week, especially at the top of the table.
- 204.202.15.180, 199.239.233.177, 198.66.222.20, and 204.202.9.161 all reappear from last week, and again got blocked for keeping trying to send us stuff that had already hit our spamtraps.
- 70.229.186.3 is an Ameritech ADSL customer who appears to be running
a Microsoft mailer with an internal hostname that wouldn't have gotten
past our
HELOname checks anyways.
Connection time rejection stats:
34428 total
16667 bad or no reverse DNS
14647 dynamic IP
1785 class bl-cbl
162 class bl-dsbl
147 class bl-spews
135 class bl-sbl
124 class bl-njabl
70 class bl-sdul
36 class bl-ordb
Given the connection volume jump this week, it's surprising that all of these stats are lower than last week. I can only guess that a lot of IP addresses didn't make it through our greylisting or something.
Twelve of the top 30 most rejected IP addresses were rejected more
than 100 times, but only one (218.254.82.97, at 1210 rejections)
hit the heights of activity seen last week. 22 are currently
in the CBL, 7 are currently in bl.spamcop.net, and one is in the
SBL.
Of course the one listing is 222.252.173.9, part of SBL39408, which is a /15 listing for a major Vietnamese network area that is apparently full of spam sources and has been listed since April 10th. (It came up here back in May.)
Out of curiosity I looked at the most 'popular' SBL listings:
| rejections | SBL listing | since when | why |
| 74 | SBL38558 | 02-Mar-2006 | datanetmedia.com / prospermedia.com (QWest) |
| 25 | SBL42599 | 28-May-2006 | random spammer in HE.NET |
| 9 | SBL41338 | 04-May-2006 | Russian spam source (okclub.org) |
| 9 | SBL41015 | 27-Apr-2006 | phish source |
| 6 | SBL43251 | 10-Jun-2006 | spam haven in HE.NET |
I have to say that this doesn't look too good for HE.NET. Or QWest. It's kind of sad that some of our most active SBL-rejected spam sources are in the United States, connected by major ISPs.
Hotmail is looking better this week:
- no messages accepted.
- 1 message rejected because it came from a non-Hotmail email address.
- 7 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address
And the closing numbers:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
420 | 48 | 375 | 54 |
| Bad bounces | 18 | 17 | 25 | 13 |
The most prolific source of bad HELO names this week was 68.88.211.161
(claiming to be 'maplehill.MHCM.local'), which failed to take the hint
139 times; unfortunately this is common behavior for the Microsoft
mailer that it seems to run.
We saw bad bounces to both 38-character hex strings from before, as well as to the usual suspects: plausible real users (including 'webmaster' and 'noreply'), a random alphanumeric string, and three all-numeric usernames.