Wandering Thoughts archives

2006-12-23

Weekly spam summary on December 23rd, 2006

The SMTP frontend died and was restarted at 2:24 am Wednesday morning, so some stats are only from then. That said, this week we:

  • got 14,896 messages from 260 different IP addresses.
  • handled 22,673 sessions from 1,353 different IP addresses.
  • received 147,470 connections from at least 47,766 different IP addresses since Wednesday at 2:24 am.
  • hit a highwater of 10 connections being checked at once since Wednesday at 2:24 am.

It looks like we'd received about 65,000 connections as of Tuesday morning, which would make the total volume roughly the same as last week. The per-day information is kind of broken, but since Wednesday morning we seem to have had higher traffic than usual, running between 35,000 and 40,000 connections a day.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
62.94.0.34            13437    605K
213.4.149.12          12301    640K
213.29.7.0/24          8888    533K
193.252.22.158         4936    296K
217.20.114.13          4783    287K
216.48.45.2            3515    164K
212.43.241.13          3478    191K
60.231.152.85          3241    165K
83.17.193.138          3045    183K
62.66.138.173          2939    149K

This is a change from last week, with totallyfreeld.net dropping out completely and a welcome drop in overall volume.

  • 62.94.0.34 and 216.48.45.2 had too many bad HELOs.
  • 213.4.149.12, 193.252.22.158, and 60.231.152.85 return from last week.
  • 217.20.114.13 is in the NJABL.
  • 212.43.241.13 is a fr.clara.net machine that kept on trying to send us stuff that had already tripped spamtraps.
  • 83.17.193.138 and 62.66.138.173 are dynamic IP 'dialup' machines.

Connection time rejection stats:

  52591 total
  31494 dynamic IP
  16375 bad or no reverse DNS
   3541 class bl-cbl
    312 class bl-sdul
    222 class bl-dsbl
     77 class bl-njabl
     44 class bl-sbl
     24 class bl-spews
     15 cuttingedgemedia.com
      8 class bl-ordb

This is, alas, the last week that the ORDB will appear in the stats, as the ORDB shut down December 18th (as reported on Slashdot, among other places; I am not linking to their website, because they're going to turn that off soon).

Only one out of the top 30 most rejected IP addresses was rejected 100 times or more this week: 63.138.101.141 (102 times, in the CBL). 16 of the top 30 are currently in the CBL and 7 are currently in bl.spamcop.net.

Almost half of the SBL rejections this week came from one IP, 202.175.95.171 aka SBL49074, apparently a hijacked spam sending machine. The next two, rejected five times each, are 66.158.163.165 (SBL49046) and 221.133.1.17 (SBL49248). In a sign that the universe is returning to the proper order of things, both are listed for being advance fee fraud spam sources.

This week, Hotmail had:

  • 1 message accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 28 messages sent to our spamtraps.
  • 3 messages refused because their sender addresses had already hit our spamtraps.
  • 3 messages refused due to their origin IP address (2 for being in the CBL, one for being in SBL20211 and SBL46450).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1147 104 1017 109
Bad bounces 117 98 80 64

By far the champion source of bad HELOs is 195.97.221.30 (335 rejections), followed by 12.162.97.71 (98 rejections). The leading general area for bad bounces seems to have switched to Italian ISPs this week. The random alphabetical names are the leading bad bounce targets, but no one of them particularly stands out.

spam/SpamSummary-2006-12-23 written at 23:26:17; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.