Wandering Thoughts archives


Weekly spam summary on August 5th, 2006

This week, we:

  • got 12,245 messages from 230 different IP addresses.
  • handled 16,343 sessions from 801 different IP addresses.
  • received 141,499 connections from at least 42,169 different IP addresses.
  • hit a highwater of 7 connections being checked at once.

This is down slightly from last week. We will probably see variations in accepted messages all August, since this is both doldrums and panic time at universities. The per day figures:

Day Connections different IPs
Sunday 18,437 +6,800
Monday 23,100 +7,321
Tuesday 20,005 +6,048
Wednesday 19,753 +5,055
Thursday 21,940 +6,772
Friday 24,820 +6,628
Saturday 13,444 +3,545

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes         14645    745K           6550    341K         5705    254K          3219    159K         2743    138K       2542    128K          2375    119K         2208    106K           2199    110K          2148    108K

The top is up a lot but the rest is down a bit from last week.

  • and are APNIC IP addresses with no reverse DNS; the former in Australia, the latter in Vietnam (and on bl.spamcop.net).
  • (bad HELO), (bad reverse DNS), and (bad HELO) return from last week.

Connection time rejection stats:

  34294 total
  17031 dynamic IP
  13730 bad or no reverse DNS
   2243 class bl-cbl
    251 class bl-njabl
    190 class bl-sdul
    105 class bl-sbl
    102 class bl-ordb
     97 class bl-spews
     61 class bl-dsbl

Out of the 30 most rejected IP addresses, 3 were rejected more than 100 times; (763 times, charter.com cablemodem, on the CBL et al), (195 times), and (129 times, Hong Kong with no reverse DNS, on the CBL et al). 16 of the top 30 are currently in the CBL, and 8 are currently in bl.spamcop.net.

Hotmail has slightly improved from last week:

  • no messages accepted.
  • 6 messages rejected because they came from non-Hotmail email addresses.
  • 11 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • no messages refused due to their origin IP address.

As with last week, all of the 'non-Hotmail email addresses' are other Hotmail properties. While less suggestive than last week's, none of the usernames fill me with great joy and confidence that they are real people (or at least real people located somewhere besides a Nigerian cybercafe).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 474 42 528 44
Bad bounces 28 25 38 26

This week, there are no really outstanding sources of bad HELO names (and, since I have looked, no really hysterically absurd ones either).

Bad bounce destinations are much like last week, and just like last week the spammer using the 38-character hex strings seems to have stayed gone. I have to confess I sort of miss them; they injected a certain dose of surreality into the proceedings.

spam/SpamSummary-2006-08-05 written at 23:00:40; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.