Weekly spam summary on April 21st, 2007
This week, we:
- got 12,325 messages from 286 different IP addresses.
- handled 19,040 sessions from 1,240 different IP addresses.
- received 170,841 connections from at least 51,674 different IP addresses.
- hit a highwater of 17 connections being checked at once.
This is slightly up from last week, which just means it's within normal fluctuations. The per day table is flatter this time around:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206/24 34173 1640K adelphia.net 220.127.116.11/23 27081 1315K cox.net 18.104.22.168/24 12790 580K bellsouth.net 22.214.171.124 11106 519K 126.96.36.199/27 10994 603K 188.8.131.52/24 10704 642K centrum.cz 184.108.40.206 6001 312K 220.127.116.11 5451 269K 18.104.22.168 4535 218K 22.214.171.124 4315 237K
Volume is slightly up on last week, which is vaguely depressing. The 126.96.36.199/27 netblock deserves special mention; it is another tendril of the otcpicknews.com (aka otcpicks.com and many others) group, previously found slamming us from 188.8.131.52/26 last week. Evidently adding them to the kernel level blocks was a good idea.
- 184.108.40.206 and 220.127.116.11 return from last week.
- 18.104.22.168 kept trying to send us phish spam that had already tripped over our spamtraps.
- 22.214.171.124 is a charter.com cablemodem or other dynamic IP address.
- 126.96.36.199 ias part of 188.8.131.52/27, but we blocked it first so it gets a separate entry.
Connection time rejection stats:
48381 total 25951 dynamic IP 16153 bad or no reverse DNS 4951 class bl-cbl 215 acceleratebiz.com 191 class bl-dsbl 133 qsnews.net 116 class bl-pbl 85 class bl-sbl 77 class bl-njabl 62 class bl-sdul 23 cuttingedgemedia.com
The highest SBL source this week is SBL48694 with 13 hits, which is a known spam sending source that was listed at the end of March.
Seven of the top 30 most rejected IP addresses were rejected 100 times
or more this week; the champion is 184.108.40.206 (1107 rejections,
a speedy.com.ar IP address without good reverse DNS), followed
closely by 220.127.116.11 (971 rejections, a rr.com cablemodem)
and 18.104.22.168 (836 rejections, a btcentralplus.com dynamic
machine of some description). Ten of the top 30 are currently
in the CBL, one is in the SBL (22.214.171.124, in SBL21133, listed April
18th 2005 for emitting way too much advance fee fraud spam), three are
bl.spamcop.net, twelve are in the PBL, and a grand total
of 17 of the top 30 are in
(Locally, 13 were rejected as 'dynamic IP', 11 were rejected for having bad or missing reverse DNS, 4 were rejected for being various places we don't talk to any more on account of spam, and two are on the DSBL.)
This week Hotmail had:
- no messages accepted.
- 2 messages rejected because they came from non-Hotmail email addresses.
- 36 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (one in the CBL, one in SBL33955, an advance fee fraud spam source listing from October 24th 2005 (and it was sending through Hotmail back then), and one from saix.net/telkcom.co.za).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading source of bad
HELOs is 126.96.36.199, with 96 rejections.
The leading source of bad bounces was 012.net.il, followed by
earthlink.net and videotron.ca; other bad bounces came from a random
smattering of all over.
Bad bounces were sent to 23 different bad usernames this week. The
leading target, with 39 attempts, was an old user account, long
since removed; after that, with 6 attempts, comes our old friend
noreply. Apart from that, almost all of the bounces went to things
OtisVentura, with a smattering of old local users.