Wandering Thoughts archives


Weekly spam summary on October 28th, 2006

This week, we:

  • got 14,982 messages from 288 different IP addresses.
  • handled 21,920 sessions from 1,294 different IP addresses.
  • received 193,231 connections from at least 46,305 different IP addresses.
  • hit a highwater of 11 connections being checked at once.

This is pretty much the same as last week. On a global scale it is up from what I consider an acceptably quiet level, but looking back a year it seems to be about the same as this time last year.

(It's a peculiar feeling to be reminded that I've been doing these weekly spam summaries for well over a year now.)

Day Connections different IPs
Sunday 28,770 +7,102
Monday 28,790 +7,501
Tuesday 28,965 +7,305
Wednesday 26,112 +6,170
Thursday 30,102 +7,019
Friday 29,286 +6,201
Saturday 21,206 +5,007

The per day table is relatively straightforward, although there is a dip on Wednesday. As usual, I have no explanation for any of this.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          25115   1306K        24818   1224K         22088   1325K          11936    716K         7878    369K           6171    370K        5313    262K         5070    243K          4683    249K         4194    252K

On the kernel blocks front, things are significantly more active than they were last week, although our leader keeps slowly declining.

  •,, and all return from last week, and for the same reasons (although looking back, I got a bit of my identification of wrong; 212/8 is a RIPE netblock, not an APNIC one).
  • is affiliatecrew.com, which kept trying to hammer on us with mail that had already hit our spamtraps. Given their domain name, I am pretty sure that I don't want to talk to them anyways.
  • is an Italian IP address with no reverse DNS.
  • was blocked for blasting our postmaster alias with backscatter from viruses.
  • is a centrum.cz mail machine; we've gotten too much advance fee fraud spam from them to accept any more.
  • tried to keep sending us stuff that had already hit our spamtraps.
  • is a wanadoo.co.uk mail machine (and we've seen it before, most recently at the start of October); at the time that we blocked it, it was in SPEWS (and we're not interested in talking to Wanadoo properties anyways).

It's also rare for the top-10 kernel blocks to be so dominated by single IP addresses; even last week had three netblocks. This week we're down to just a Chinese /10, and it's only in ninth place.

Connection time rejection stats:

  34922 total
  17172 dynamic IP
  14149 bad or no reverse DNS
   2316 class bl-cbl
    298 class bl-dsbl
    256 class bl-sdul
    211 class bl-njabl
     56 class bl-spews
     44 class bl-ordb
     41 class bl-sbl
     19 cuttingedgemedia.com

Three out of the top 30 most rejected IP addresses were rejected 100 times or more; (188 times), (167 times), and (105 times), all of which are APNIC addresses refused for having bad or missing reverse DNS. 19 of the 30 most rejected IP addresses are currently in the CBL and 9 are currently in bl.spamcop.net.

This week's Hotmail numbers:

  • 1 message accepted; it was legitimate email.
  • 1 message rejected because it came from a non-Hotmail email address (it was a msn.com address).
  • 26 messages sent to our spamtraps.
  • 1 message refused because its sender addresses had already hit our spamtraps.
  • 1 message refused due to its origin IP address being a SAIX one.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 2076 103 335 52
Bad bounces 377 276 255 169

With the numbers that big, I was expecting to find a single point source of bad HELOs; unfortunately there isn't one. The leader is (213 times), but then there is (96 times), (78 times), (72 times), and so on.

The most eye-opening bad bounce source was securityfocus.com, at 22 attempts to check a 'IEFPLMD'. I suspect that this is sender verification instead of actual bounces. However, this was not the most popular bounce destination; that goes to 'milw' (22 times). To my pleasure, 3E4B reappeared (although there is still no sign of the 38 character hex strings). Otherwise, the bounces went to the usual suspects, primarily Slavic female names.

spam/SpamSummary-2006-10-28 written at 23:48:31; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.