Wandering Thoughts archives

2006-09-16

Weekly spam summary on September 16th, 2006

The SMTP frontend keeled over and was restarted around 6am on Tuesday morning, so some of the statistics are from then. Given that, this week we:

  • got 15,257 messages from 210 different IP addresses.
  • handled 17,165 sessions from 837 different IP addresses.
  • received 101,830 connections from at least 26,869 different IP addresses since Tuesday at 6am.
  • hit a highwater of 7 connections being checked at once since Tuesday at 6am.

It looks like the total connection count for this week is about 140,000 or so, which would make the total volume slightly down from last week. The per day stats don't make for a useful table, but look about flat.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          45463   2364K
82.195.157.47         10886    653K
209.172.38.189         6575    395K
82.58.96.64            5616    337K
195.34.34.232          5221    261K
218.0.0.0/11           4451    217K
61.128.0.0/10          3223    163K
193.70.192.0/24        2664    120K
216.138.229.192        2385    124K
207.245.12.2           2262    109K

Apart from the one major outlier, the volume here is pretty similar to last week.

  • 213.4.149.12, mailhost.terra.es, HELO'ing as the nonexistent and nonsensical hostname 'ctsmtpout1.frontal.correo', reappears from last week in a huge way. It has now earned a place in our permanent blocks.
  • 82.195.157.47 and 207.245.12.2 also got blocked for repeated bad HELO greetings.
  • 209.172.38.189 was blocked because it kept trying to send us stuff that had hit our spamtraps, in particular email with a MAIL FROM pointing to the domain 'opinionplus.ca'.
  • 82.58.96.64 was blocked for being in the CBL, but an inspection of its hostname shows that it's a dynamic telecomitalia.it address (and is listed in dialups.visi.com, a DNSbl I may need to consider using).
  • 195.34.34.232 and 216.138.229.192 were also blocked for hitting spamtraps and keeping on sending. The presence of 195.34.34.232 is especially impressive because it only started hitting us yesterday (Friday).

Connection time rejection stats:

  27768 total
  13469 dynamic IP
  11422 bad or no reverse DNS
   1403 class bl-cbl
    395 class bl-dsbl
    221 class bl-sdul
    192 class bl-njabl
    146 class bl-sbl
    145 class bl-ordb
     34 class bl-spews

Five out of the top 30 most rejected IP addresses were rejected 100 times or more, with this week's champion being 64.166.14.222 (417 times, rejected for being a PacBell ADSL line). 19 of the top 30 are currently in the CBL, 8 are currently in bl.spamcop.net, and one, our friend 208.32.133.156 from Cutting Edge Media, is in SBL45150.

This ongoing persistence from Cutting Edge Media has now earned them a permanent personal block. (I'm tempted to make it a kernel level block, but I'm refraining for now.)

The Hotmail stats got worse from last week:

  • 4 messages accepted, at least one of which was legitimate.
  • 2 messages rejected because they came from non-Hotmail email addresses, both times from msn.com users.
  • 40 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 1 messages refused due to its origin IP address being in SBL27471.

I remain unimpressed with Hotmail, not that this is exactly news.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 264 42 593 80
Bad bounces 57 51 101 91

My biggest reaction is that this is a pleasant decline from last week, although I'm not going to hold my breath for the trend to continue. Bounces to 38-character hex string login names have gone back into hiding, to my vague regret; one treasures even one's head-scratching peculiar spam mysteries.

spam/SpamSummary-2006-09-16 written at 23:44:04; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.