Wandering Thoughts archives

2006-09-30

Weekly spam summary on September 30th, 2006

This week, we:

  • got 15,751 messages from 307 different IP addresses.
  • handled 19,911 sessions from 1,047 different IP addresses.
  • received 154,477 connections from at least 38,870 different IP addresses.
  • hit a highwater of 9 connections being checked at once.

This is all about the same level as last week, or at most down a little bit. Oddly, we show a bit of a volume jump towards the end of the week:

Day Connections different IPs
Sunday 18,432 +4,543
Monday 23,737 +5,895
Tuesday 21,888 +5,077
Wednesday 21,793 +5,414
Thursday 24,042 +6,914
Friday 25,216 +6,556
Saturday 19,369 +4,471

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          56881   2958K
212.130.19.148         6818    347K
193.252.22.158         4744    285K
195.130.132.54         3380    203K
213.129.201.64         3189    153K
86.7.241.201           3188    153K
80.51.32.242           3132    188K
194.165.146.156        2988    143K
218.0.0.0/11           2897    141K
213.180.130.35         2742    165K

Apart from first place, this is about the same sort of volume as last week.

  • 213.4.149.12 continues its stranglehold on first place from last week.
  • 212.130.19.148, 193.252.22.158, and 80.51.32.242 also return from last week.
  • 195.130.132.54 did the now-usual thing of trying to keep sending us stuff that had already hit our spamtraps.
  • 213.129.201.64 reappears from August, still with a bad HELO greeting.
  • 86.7.241.201 is an NTL cablemodem.
  • 194.165.146.156 is a 'Wanadoo Jordan' IP address with no reverse DNS (and also is in relays.ordb.org).
  • 213.180.130.35 is a poczta.onet.pl machine, and we don't talk to them.

Connection time rejection stats:

  34465 total
  17779 dynamic IP
  13422 bad or no reverse DNS
   1868 class bl-cbl
    403 class bl-dsbl
    215 class bl-sdul
    153 class bl-njabl
    130 class bl-spews
     45 class bl-ordb
     23 cuttingedgemedia.com
     16 class bl-sbl

Twelve out of the top 30 most rejected IP addresses were rejected 100 times or more, with the champion being 72.66.49.214 (196 times, for being a Verizon dynamic IP). 18 of the top 30 are currently in the CBL, and 9 are currently in bl.spamcop.net; this week, none are in the SBL.

This week's Hotmail stats are reasonably good:

  • 9 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 28 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • no messages refused due to their origin IP address.

Seven of the accepted messages were legitimate, but the remaining two were advance fee fraud spam (sent from 219.95.240.138, a Malaysian IP address that's probably a tm.net.my ADSL line).

(The high number of actual messages is due to the usual cause: a student-facing system had a glitch and students promptly mailed in to tell people about it.)

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 718 66 495 60
Bad bounces 127 88 60 52

I'm not really happy to see these numbers climbing, but at least they're not really bad; it's still in at the drip drip level, instead of a flood. There are no particularly big spike sources of either, although the largest single source of bounces appears to have been a spammer trying a new trick to get their messages through.

The bounces were all over, including bounces to E7D6 and 3E4B like last week, but the majority were to made-up usernames of the form <first>_<last>, where the first and last names looked like randomly chosen female-sounding Russian names; a representative example is 'violetta_mironova'.

spam/SpamSummary-2006-09-30 written at 23:19:57; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.