Weekly spam summary on October 7th, 2006
This week, we:
- got 15,275 messages from 261 different IP addresses.
- handled 21,183 sessions from 1,301 different IP addresses.
- received 172,030 connections from at least 42,834 different IP addresses.
- hit a highwater of 18 connections being checked at once.
Volume is up somewhat from last week, but not hugely. The per day volume level fluctuates significantly:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 58339 3034K 126.96.36.199 7377 375K 188.8.131.52/11 6280 304K 184.108.40.206 5769 346K 220.127.116.11 4989 282K 18.104.22.168 4762 242K 22.214.171.124 3663 181K 126.96.36.199 3200 176K 188.8.131.52/10 3154 176K 184.108.40.206 2901 174K
The overall numbers are up somewhat from last week.
- 220.127.116.11, 18.104.22.168, and 22.214.171.124 return from last week, with terra.es continuing to totally, totally own first place.
- 126.96.36.199 is a proxad.net dialup.
- 188.8.131.52 is listed in NJABL; it appears to be yet another webmail advance fee fraud spam source.
- 184.108.40.206 is a leivo.ru machine, and we've decided not to talk to them any more because they're a source of annoying backscatter.
- 220.127.116.11 is currently in the CBL.
Connection time rejection stats:
35477 total 17818 dynamic IP 14475 bad or no reverse DNS 1712 class bl-cbl 262 class bl-dsbl 217 class bl-sdul 205 class bl-njabl 80 class bl-spews 47 class bl-ordb 39 class bl-sbl
This week marks the first week that Cutting Edge Media has left us alone. If it keeps up, I may hold a modest celebration.
One out of the top 30 most rejected IP addresses was rejected more
than 100 times: 18.104.22.168, a RoadRunner cablemodem, at 184 times (it
is also in the CBL). 23 of the top 30 most rejected IP addresses are
currently in the CBL and 6 are currently in
I can, I'll do a table of the top SBL rejections:
|14||SBL29986||RTComm.RU /15 escalation listing|
|8||SBL41338||Advance fee fraud spam source|
|7||SBL47129||Phish spam source|
|3||SBL30022||RTComm.RU /16 escalation listing|
I'd say I'm detecting a trend here, but it's not anything new, so I'm more confirming it.
This week, Hotmail brought to us:
- 4 messages accepted, at least two of which were spam (again coming from what is probably a tm.net.my ADSL line; I guess I'll add them to the banned sources list).
- no messages rejected because they came from non-Hotmail email addresses.
- 27 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one for being in SBL33810 and the other for being from the Cote d'Ivoire).
I can't say I'm very happy about the continued spam from the Hotmail plus tm.net.my combination (they did it last week too). But then I'm usually not very happy with Hotmail in general.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Colour me displeased with the increase. No particular source of bad
HELOs stands out; there were just more of them (although the average
number of bad
HELOs per IP address went up).
On the bad bounces, last week's pattern pretty much repeats, mixed
in with the random alphanumeric usernames from earlier weeks. This
time I looked at the sources of the bounces; it seems that most of the
Russian female name bounces are coming from the Eastern Europe area.
There was one bounce to