Wandering Thoughts archives

2007-02-03

Weekly spam summary on February 3rd, 2007

This week, we:

  • got 15,790 messages from 280 different IP addresses.
  • handled 23,657 sessions from 1,340 different IP addresses.
  • received 248,408 connections from at least 73,118 different IP addresses.
  • hit a highwater of 17 connections being checked at once.

Volume is up again from last week, although the number of different IPs is down slightly.

Day Connections different IPs
Sunday 28,871 +11,587
Monday 30,772 +10,424
Tuesday 39,487 +10,941
Wednesday 38,430 +10,523
Thursday 36,188 +9,602
Friday 37,864 +10,746
Saturday 36,796 +9,295

This is somewhat more even than last week, but that's about all I can say for it.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
193.70.192.0/24       18193    820K
213.4.149.12          17817    926K
213.29.7.0/24         17387   1043K
193.95.28.40          14077    653K
64.166.14.222         10431    501K
203.143.22.50          7058    423K
24.39.78.164           6715    322K
206.100.222.95         6082    292K
66.15.116.230          5391    259K
66.15.119.165          4741    222K

Things are definitely up compared to last week.

  • 213.4.149.12 and 66.15.119.165 return from last week.
  • 193.95.28.40 kept attempting to send us stuff that had already tripped spamtraps.
  • 64.166.14.222 returns from early January, still blocked for being a PacBell DSL line.
  • 203.143.22.50 is a Sri Lankan IP address with no reverse DNS.
  • 24.39.78.164 and 206.100.222.95 both tried too often with bad HELOs.
  • 66.15.116.230 is on the NJABL.

Connection time rejection stats:

  64250 total
  39581 dynamic IP
  17883 bad or no reverse DNS
   5133 class bl-cbl
    333 class bl-dsbl
    166 class bl-njabl
    139 class bl-pbl
    123 class bl-sbl
    116 class bl-sdul
     21 verticalresponse.com
     13 cuttingedgemedia.com

Four of the the top 30 most rejected IPs were rejected 100 times or more this week: 81.51.108.120 (349 times), 64.166.14.222 (199 times), 68.91.134.69 (118 times), and 211.180.132.9 (100 times). The first three were rejected as dynamic IPs, the fourth for having bad reverse DNS. Ten of the top 30 are currently in the CBL and a whopping 21 are currently listed in bl.spamcop.net.

This week's Hotmail scores are:

  • 5 messages accepted.
  • 1 message rejected because it came from a non-Hotmail email address.
  • 36 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 8 messages refused due to their origin IP address (3 in the SBL, 2 from the Cote d'Ivoire, 1 in the CBL, 1 from Nigeria, and one from SAIX).

Somehow, I don't think we're losing anything by not accepting an email message this week from one 'netaleloto_awrd_006@hotmail.it'.

The SBL listings are SBL50384, from January 2007, SBL46422, from September 2006, and SBL32972, from November 2005, when it was spamming through Hotmail. I have no words.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 982 113 1171 134
Bad bounces 105 88 229 130

Germany and Russia seem to be the leading sources of bad bounces this week, with the usual contributions from various other places. Unlike last week, there's no particularly big single source; like last week, the most common bad usernames continue to be alphabetical jumbles, with a certain amount of more plausible ones mixed in. Bad bounces were sent to 96 different bad usernames this week.

spam/SpamSummary-2007-02-03 written at 23:44:45; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.