2006-07-09
Weekly spam summary on July 8th, 2006
This week, we:
- got 13,932 messages from 204 different IP addresses.
- handled 17,417 sessions from 865 different IP addresses.
- received 161,727 connections from at least 52,444 different IP addresses.
- hit a highwater of 50 connections being checked at once (hit on Friday).
This is about the same as last week, allowing for random variation. The per day table is mostly but not entirely flat, so I'm going to include it:
Day | Connections | different IPs |
Sunday | 20,708 | +8,590 |
Monday | 24,100 | +6,710 |
Tuesday | 23,664 | +7,986 |
Wednesday | 27,001 | +9,007 |
Thursday | 22,281 | +6,807 |
Friday | 25,757 | +7,995 |
Saturday | 18,216 | +5,349 |
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 218.0.0.0/11 9919 485K 61.128.0.0/10 7007 367K 213.4.149.12 6328 329K 69.64.10.246 5037 235K 217.13.17.73 4932 237K 218.254.82.97 4189 201K 62.2.90.42 4155 201K 212.216.176.0/24 4030 203K 217.57.24.82 3774 181K 220.160.0.0/11 3680 182K
Volume is down from last week, only partly because the two big point sources went away, and this week the top two spots are claimed by Chinese netblocks instead of individual IP addresses.
- 213.4.149.12 returns from last week, still with a bad
HELO
name. - 217.13.17.73 and 217.57.24.82 also have bad
HELO
names. - 69.64.10.246 was listed in the NJABL (but no longer is).
- 218.254.82.97, a very active hkcable.com.hk cablemodem, returns from last week.
- 62.2.90.42 is listed in the SORBS DUL list (and is currently in
bl.spamcop.net
).
Connection time rejection stats:
55159 total 29576 dynamic IP 21628 bad or no reverse DNS 2631 class bl-cbl 230 class bl-njabl 154 class bl-sdul 135 class bl-spews 124 class bl-sbl 87 class bl-dsbl 10 class bl-ordb
This is a striking jump up from last week for only a relatively moderate increase in overall connection volume. I suspect that spammers may be having their zombies get more persistent to overcome greylisting; oh well, very little lasts forever in the antispam world.
All 30 of the 30 most rejected IP addresses were rejected more than a
hundred times; the champion is 218.254.82.97, with 1247 rejections,
and with this latest episode it's now earned a permanent place in our
kernel IP filters. 27 of the 30 are currently in the CBL, and six are
in bl.spamcop.net
.
Hotmail had a so-so week, and I've discovered that some of my past stats around the start of each month may have been inaccurate. This week's numbers:
- no messages accepted.
- 4 messages rejected because they came from non-Hotmail email addresses.
- 14 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address.
That's a lot of mail to our spamtraps, and I'm not too happy about it. Hotmail may be stopping spammers relatively fast, but it's clearly letting them send some spam to start with.
And the closing numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
608 | 56 | 193 | 45 |
Bad bounces | 88 | 62 | 23 | 18 |
Both of these are up significantly from last week, and I suspect
that it's the same root cause: spammers are forging us on their spam
more actively. There is no single source of bad HELO
s that stands
out a lot (the winner is 198.145.214.166 aka 'pascor01.Pascor.local',
but with only 85 rejections).
This week sees a new 38-character hex digit appear in the bad bounces,
8B407639D45C5742ADD3987F7E013C41178B66
. Apart from that, there's
a lot more variety this week, with 54 different usernames ranging
from long-dead accounts to plausible accounts to random alphanumeric
sequences like 'zfqbxbgm330
'; the random alphanumerics are the
predominant group. Interesting, the only all-digit username this week
was '0
'.