Wandering Thoughts archives

2006-11-04

Weekly spam summary on November 4th, 2006

This week, we:

  • got 15,265 messages from 278 different IP addresses.
  • handled 21,071 sessions from 1,538 different IP addresses.
  • received 215,602 connections from at least 52,130 different IP addresses.
  • hit a highwater of 12 connections being checked at once.

These statistics superficially look a lot like last week's, although up somewhat. What they hide is a significant spam storm that has actually been getting through our low-rent graylisting, more or less shown in the per day table:

Day Connections different IPs
Sunday 26,390 +6,411
Monday 28,908 +7,066
Tuesday 26,318 +6,641
Wednesday 30,790 +7,677
Thursday 33,607 +8,772
Friday 36,044 +8,379
Saturday 33,545 +7,184

Today especially our logs have been lighting up with this stuff. The giveaway sign is dynamic machines HELOing with their actual (dynamic) name, not a forged HELO greeting, and then trying to MAIL FROM various random places. So far most of them have been European IPs, with some Asian and American ones to make life more exciting.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          26060   1355K
69.31.86.14            7864    472K
216.71.64.178          5190    311K
194.213.224.9          5015    301K
209.182.108.85         5014    231K
60.231.152.85          4794    244K
193.252.22.158         3942    237K
61.128.0.0/10          3930    199K
212.216.176.0/24       3917    194K
213.29.7.134           3890    233K

This is a bunch better than last week, with everyone except our usual prize winner coming in significantly lower. Also, almost all of the IPs are new ones.

  • 213.4.149.12 and 193.252.22.158 reappear from last week.
  • 69.31.86.14 is in SPEWS.
  • 216.71.64.178 is a host4u.net machine, and we're not interested in talking to them.
  • 194.213.224.9 kept trying to send us stuff that had tripped our spamtraps.
  • 209.182.108.85 had a bad HELO greeting.
  • 60.231.152.85 is a bigpond.net.au cablemodem. Uh, no thanks.
  • 213.29.7.134 is a centrum.cz mail machine (last spotted in February), although a neighboring machine made the list last week.

This is an interestingly broad assortment of reasons for getting blocked, much less monochromatic than usual.

Connection time rejection stats:

  56316 total
  29798 dynamic IP
  21151 bad or no reverse DNS
   3133 class bl-cbl
   1055 class bl-sdul
    261 class bl-dsbl
    115 class bl-njabl
     99 class bl-spews
     48 class bl-ordb
     37 cuttingedgemedia.com
     27 class bl-sbl

And here we see the explosion: this is way up from last week, with major growth in several areas typical of exploited zombie machines.

Four of the top 30 most rejected IP addresses were rejected 100 times or more: 124.90.223.216 (376 times, all of them today), 69.159.193.177 (181 times), 82.163.27.65 (102 times), and 82.3.189.248 (100 times). Annoyingly, one of them is a Canadian (even a Toronto) IP address.

Nineteen of the top 30 most rejected IP addresses as currently in the CBL, and 10 are currently in bl.spamcop.net.

This week's Hotmail grumps:

  • 8 messages accepted; one that was good, 6 that were definitely spam, and one I'm not sure about.
  • 1 message rejected because it came from a non-Hotmail email address.
  • 38 messages sent to our spamtraps.
  • 1 message refused because its sender addresses had already hit our spamtraps.
  • 6 messages refused due to their origin IP address (3 for being in the CBL, one from SAIX, one from Burkina Faso, and one from the Cote d'Ivoire).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1298 140 2076 103
Bad bounces 370 256 377 276

Things are better than last week, but not hugely. The most popular bad bounce target this week was 'wilhelmi' (21 hits), but in general the pattern continued from last week, and almost everything was hit only once. There seems to be a drift towards single-word usernames, away from the combination Slavic female names.

spam/SpamSummary-2006-11-04 written at 23:38:01; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.