Wandering Thoughts archives


Weekly spam summary on December 2nd, 2006

Our SMTP frontend crashed and restarted today at 2:51pm, which means that some stats are a little bit distorted. This week, we:

  • got 15,320 messages from 276 different IP addresses.
  • handled 21,412 sessions from 1,467 different IP addresses.
  • received 217,984 connections from at least 66,248 different IP addresses up until this morning at 4am, and 11,150 connections from at least 4,184 different IP addresses since 2:51pm.
  • hit a highwater of 50 connections being checked at once by 4am this morning (and a less impressive highwater of 9 since 2:51pm).

Connection count is up from last week, although nothing else really is. Removing today from the per-day table, we have:

Day Connections different IPs
Sunday 40,151 +15,122
Monday 39,803 +12,027
Tuesday 31,702 +9,861
Wednesday 34,586 +10,595
Thursday 42,762 +10,402
Friday 28,980 +8,241

This is more see-sawing than we usually see, especially on Sunday. The highwater of 50 simultaneous connections was set on Thursday, which isn't too surprising.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes      38955   2337K         29146   1749K         13032    625K          5965    358K            5039    269K       3996    199K           3975    239K            3896    234K           3454    166K         3369    162K
  • is SBL48200, returning from last week and now earning a place in our permanent blocks.
  • is centrum.cz, also returning and also earning a permanent block.
  • also returns from last week, still a PacBell DSL line. Evidently it really, really wants to talk to us.
  • and are both generic 'dynamic' IPs, from easnet.fr and telecomitalia.it respectively.
  • aka by.ru spent too much trying to send us spam that had already hit our spamtraps.
  • kept trying a bad HELO too much.
  • is in the CBL. I note with interest that despite being called 'mx03.simon-mx.com', the netblock it is in allegedly belongs to 'IMARKETING CONSULTANTS' (under PaeTec), allegedly located in Florida.

Overall volume seems down from last week; there are fewer really active sources, discounting SBL48200.

Connection time rejection stats:

  70836 total
  45848 dynamic IP
  17887 bad or no reverse DNS
   5198 class bl-cbl
    645 class bl-sdul
    250 class bl-dsbl
     90 class bl-sbl
     61 class bl-njabl
     58 class bl-spews
     22 class bl-ordb

As I sometime like to say, yow! This may be the highest rejection count we've ever had, and it certainly seems like a significant spam storm hit us this week. The most active sources of dynamic IPs are:

   3064 rr.com
   2336 proxad.net
   1817 retail.telecomitalia.it
   1623 comcast.net
   1553 ono.com
   1423 dynamicip.rima-tde.net
   1383 user.auna.net
   1312 verizon
   1209 wanadoo.fr
   1118 charter.com

Only two of the top 30 most rejected IP addresses were rejected 100 times or more: (135 times, rejected for being a LACNIC IP address with no reverse DNS) and our friend (130 times). 21 of the top 30 are currently in the CBL and 9 are currently in bl.spamcop.net.

This week, Hotmail managed:

  • 1 message accepted.
  • 1 message rejected because it came from a non-Hotmail email address (in this case an address at 'alliedpersonelsvcinc.co.uk').
  • 28 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 1 messages refused due to its origin IP address being in the Cote d'Ivoire.

This is better than last week, but that's still not saying very much.

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1059 155 2148 161
Bad bounces 109 101 412 319

The clear winner in the bad HELO sweepstakes is, with 136 attempts before it got blocked. No one won the bad bounces sweepstakes; as you can guess from the numbers, only a very few places even sent us more than one.

This week the first_last login name pattern bounces went away almost completely. What's left is primarily plausible usernames (generally not ones that were ever valid here), leavened with a few alphanumeric jumbles.

spam/SpamSummary-2006-12-02 written at 23:28:15; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.