Wandering Thoughts archives

2007-04-21

Weekly spam summary on April 21st, 2007

This week, we:

  • got 12,325 messages from 286 different IP addresses.
  • handled 19,040 sessions from 1,240 different IP addresses.
  • received 170,841 connections from at least 51,674 different IP addresses.
  • hit a highwater of 17 connections being checked at once.

This is slightly up from last week, which just means it's within normal fluctuations. The per day table is flatter this time around:

Day Connections different IPs
Sunday 25,199 +8,285
Monday 28,318 +7,887
Tuesday 28,035 +8,508
Wednesday 26,202 +8,425
Thursday 24,601 +7,856
Friday 22,180 +5,824
Saturday 16,306 +4,889

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.168.78.0/24        34173   1640K adelphia.net
68.230.240.0/23       27081   1315K cox.net
205.152.59.0/24       12790    580K bellsouth.net
209.60.190.123        11106    519K
206.123.109.0/27      10994    603K
213.29.7.0/24         10704    642K centrum.cz
213.4.149.12           6001    312K
204.202.11.243         5451    269K
24.216.176.82          4535    218K
206.123.109.8          4315    237K

Volume is slightly up on last week, which is vaguely depressing. The 206.123.109.0/27 netblock deserves special mention; it is another tendril of the otcpicknews.com (aka otcpicks.com and many others) group, previously found slamming us from 72.249.13.64/26 last week. Evidently adding them to the kernel level blocks was a good idea.

  • 209.60.190.123 and 213.4.149.12 return from last week.
  • 204.202.11.243 kept trying to send us phish spam that had already tripped over our spamtraps.
  • 24.216.176.82 is a charter.com cablemodem or other dynamic IP address.
  • 206.123.109.8 ias part of 206.123.109.0/27, but we blocked it first so it gets a separate entry.

Connection time rejection stats:

  48381 total
  25951 dynamic IP
  16153 bad or no reverse DNS
   4951 class bl-cbl
    215 acceleratebiz.com
    191 class bl-dsbl
    133 qsnews.net
    116 class bl-pbl
     85 class bl-sbl
     77 class bl-njabl
     62 class bl-sdul
     23 cuttingedgemedia.com

The highest SBL source this week is SBL48694 with 13 hits, which is a known spam sending source that was listed at the end of March.

Seven of the top 30 most rejected IP addresses were rejected 100 times or more this week; the champion is 190.51.4.122 (1107 rejections, a speedy.com.ar IP address without good reverse DNS), followed closely by 76.187.221.186 (971 rejections, a rr.com cablemodem) and 86.135.179.47 (836 rejections, a btcentralplus.com dynamic machine of some description). Ten of the top 30 are currently in the CBL, one is in the SBL (213.154.87.161, in SBL21133, listed April 18th 2005 for emitting way too much advance fee fraud spam), three are currently in bl.spamcop.net, twelve are in the PBL, and a grand total of 17 of the top 30 are in zen.spamhaus.org.

(Locally, 13 were rejected as 'dynamic IP', 11 were rejected for having bad or missing reverse DNS, 4 were rejected for being various places we don't talk to any more on account of spam, and two are on the DSBL.)

This week Hotmail had:

  • no messages accepted.
  • 2 messages rejected because they came from non-Hotmail email addresses.
  • 36 messages sent to our spamtraps.
  • 3 messages refused because their sender addresses had already hit our spamtraps.
  • 3 messages refused due to their origin IP address (one in the CBL, one in SBL33955, an advance fee fraud spam source listing from October 24th 2005 (and it was sending through Hotmail back then), and one from saix.net/telkcom.co.za).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 720 75 940 72
Bad bounces 68 22 57 29

The leading source of bad HELOs is 203.90.78.101, with 96 rejections. The leading source of bad bounces was 012.net.il, followed by earthlink.net and videotron.ca; other bad bounces came from a random smattering of all over.

Bad bounces were sent to 23 different bad usernames this week. The leading target, with 39 attempts, was an old user account, long since removed; after that, with 6 attempts, comes our old friend noreply. Apart from that, almost all of the bounces went to things like OtisVentura, with a smattering of old local users.

spam/SpamSummary-2007-04-21 written at 23:29:01; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.