Wandering Thoughts archives


Weekly spam summary on September 16th, 2006

The SMTP frontend keeled over and was restarted around 6am on Tuesday morning, so some of the statistics are from then. Given that, this week we:

  • got 15,257 messages from 210 different IP addresses.
  • handled 17,165 sessions from 837 different IP addresses.
  • received 101,830 connections from at least 26,869 different IP addresses since Tuesday at 6am.
  • hit a highwater of 7 connections being checked at once since Tuesday at 6am.

It looks like the total connection count for this week is about 140,000 or so, which would make the total volume slightly down from last week. The per day stats don't make for a useful table, but look about flat.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          45463   2364K         10886    653K         6575    395K            5616    337K          5221    261K           4451    217K          3223    163K        2664    120K        2385    124K           2262    109K

Apart from the one major outlier, the volume here is pretty similar to last week.

  •, mailhost.terra.es, HELO'ing as the nonexistent and nonsensical hostname 'ctsmtpout1.frontal.correo', reappears from last week in a huge way. It has now earned a place in our permanent blocks.
  • and also got blocked for repeated bad HELO greetings.
  • was blocked because it kept trying to send us stuff that had hit our spamtraps, in particular email with a MAIL FROM pointing to the domain 'opinionplus.ca'.
  • was blocked for being in the CBL, but an inspection of its hostname shows that it's a dynamic telecomitalia.it address (and is listed in dialups.visi.com, a DNSbl I may need to consider using).
  • and were also blocked for hitting spamtraps and keeping on sending. The presence of is especially impressive because it only started hitting us yesterday (Friday).

Connection time rejection stats:

  27768 total
  13469 dynamic IP
  11422 bad or no reverse DNS
   1403 class bl-cbl
    395 class bl-dsbl
    221 class bl-sdul
    192 class bl-njabl
    146 class bl-sbl
    145 class bl-ordb
     34 class bl-spews

Five out of the top 30 most rejected IP addresses were rejected 100 times or more, with this week's champion being (417 times, rejected for being a PacBell ADSL line). 19 of the top 30 are currently in the CBL, 8 are currently in bl.spamcop.net, and one, our friend from Cutting Edge Media, is in SBL45150.

This ongoing persistence from Cutting Edge Media has now earned them a permanent personal block. (I'm tempted to make it a kernel level block, but I'm refraining for now.)

The Hotmail stats got worse from last week:

  • 4 messages accepted, at least one of which was legitimate.
  • 2 messages rejected because they came from non-Hotmail email addresses, both times from msn.com users.
  • 40 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 1 messages refused due to its origin IP address being in SBL27471.

I remain unimpressed with Hotmail, not that this is exactly news.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 264 42 593 80
Bad bounces 57 51 101 91

My biggest reaction is that this is a pleasant decline from last week, although I'm not going to hold my breath for the trend to continue. Bounces to 38-character hex string login names have gone back into hiding, to my vague regret; one treasures even one's head-scratching peculiar spam mysteries.

spam/SpamSummary-2006-09-16 written at 23:44:04; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.