2007-03-17
Weekly spam summary on March 17th, 2007
This week, we:
- got 11,732 messages from 232 different IP addresses.
- handled 18,216 sessions from 1,165 different IP addresses.
- received 189,951 connections from at least 55,941 different IP addresses.
- hit a highwater of 7 connections being checked at once.
This is all down from last week, and I have no explanation for why the messages received count is down so much; it is normally quite stable.
Day | Connections | different IPs |
Sunday | 15,731 | +6,525 |
Monday | 30,676 | +9,666 |
Tuesday | 28,663 | +8,088 |
Wednesday | 29,394 | +8,296 |
Thursday | 32,932 | +8,916 |
Friday | 29,720 | +8,318 |
Saturday | 22,835 | +6,132 |
The Sunday count is unnaturally low because we managed to accidentally drop the machine off the network for about eight hours on Sunday (we had a mis-set default route in the configuration files, so when the regular Sunday morning reboot happened the machine dropped off the Internet until we figured out what was going on).
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 206.223.168.238 34311 1882K 68.230.240.0/24 23616 1147K 213.4.149.12 17757 923K 205.152.59.0/24 17549 796K 213.29.7.0/24 12251 735K 213.41.128.40 7368 375K 70.167.3.24 6324 379K 69.15.68.98 6321 296K 211.63.211.245 5964 286K 217.14.208.79 5586 284K
This is significantly up from last week, partly (but not entirely) because of 68.230.240.0/24, which is Cox's outgoing SMTP pool. Cox is yet another US ISP that we don't talk to any more because they got into full bore webmail and thus full bore advance fee fraud spamming, and this week I blocked their /24 early on.
- 206.223.168.238 and 213.4.149.12 return from last week and previous appearances.
- 213.41.128.40, 211.63.211.245, and 217.14.208.79 are all on the DSBL.
- 70.167.3.24 kept trying to send stuff with an origin address that had already tripped our spamtraps.
- 69.15.68.98 kept trying with a bad
HELO
name; we've seen it before, back in early February.
To follow up something from last week: 64.208.191.0/24 did not hit us at all this week, and thus I am dropping them off my mental radar.
Connection time rejection stats:
67425 total 41908 dynamic IP 17325 bad or no reverse DNS 6573 class bl-cbl 299 class bl-dsbl 245 acceleratebiz.com 242 class bl-sdul 159 class bl-pbl 93 class bl-njabl 85 cuttingedgemedia.com 49 class bl-sbl
The highest SBL source this week is SBL43107 (18 hits), the 'Gestour Portal spam source' listing that we've seen before. After that is SBL49248 (9 hits), an advance fee fraud spam source listed 18 December 2006.
Three of the top 30 most rejected IP addresses were rejected 100
times or more this week; the leader is 66.191.255.223 (112 times), a
charter.com dynamic IP address of some sort. Twelve of the top 30 are
currently in the CBL, 13 are currently in bl.spamcop.net
, eight are
in the PBL, and a grand total of 16
are in zen.spamhaus.org (which
needs a short, punchy name).
This week Hotmail managed:
- 2 messages accepted; I suspect both were spam.
- no messages rejected because they came from non-Hotmail email addresses.
- 36 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- 5 messages refused due to their origin IP address (one in SBL33955 (which dates from 2005), one in SBL47589), one in the CBL, one from the Cote d'Ivoire, and one from Ghana).
And the final numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
555 | 78 | 1041 | 96 |
Bad bounces | 13 | 7 | 4 | 4 |
The numbers on bad bounces have gotten a bit worse, but only a bit.
Bad HELO
s had no really big sources; the biggest three were
65.120.172.122 (71 tries), 72.54.106.163 (63 tries), and 74.62.160.114
(50 tries).
One machine contributed more than half of the bad bounces this week; 72.37.163.14 tried to send seven bounces to a single bad username. Bad bounces were sent to 6 different usernames this week, all of them ex-users. One ex-user got eight bounces; all the others got one each.