Weekly spam summary on April 21st, 2007
This week, we:
- got 12,325 messages from 286 different IP addresses.
- handled 19,040 sessions from 1,240 different IP addresses.
- received 170,841 connections from at least 51,674 different IP addresses.
- hit a highwater of 17 connections being checked at once.
This is slightly up from last week, which just means it's within normal fluctuations. The per day table is flatter this time around:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124/24 34173 1640K adelphia.net 126.96.36.199/23 27081 1315K cox.net 188.8.131.52/24 12790 580K bellsouth.net 184.108.40.206 11106 519K 220.127.116.11/27 10994 603K 18.104.22.168/24 10704 642K centrum.cz 22.214.171.124 6001 312K 126.96.36.199 5451 269K 188.8.131.52 4535 218K 184.108.40.206 4315 237K
Volume is slightly up on last week, which is vaguely depressing. The 220.127.116.11/27 netblock deserves special mention; it is another tendril of the otcpicknews.com (aka otcpicks.com and many others) group, previously found slamming us from 18.104.22.168/26 last week. Evidently adding them to the kernel level blocks was a good idea.
- 22.214.171.124 and 126.96.36.199 return from last week.
- 188.8.131.52 kept trying to send us phish spam that had already tripped over our spamtraps.
- 184.108.40.206 is a charter.com cablemodem or other dynamic IP address.
- 220.127.116.11 ias part of 18.104.22.168/27, but we blocked it first so it gets a separate entry.
Connection time rejection stats:
48381 total 25951 dynamic IP 16153 bad or no reverse DNS 4951 class bl-cbl 215 acceleratebiz.com 191 class bl-dsbl 133 qsnews.net 116 class bl-pbl 85 class bl-sbl 77 class bl-njabl 62 class bl-sdul 23 cuttingedgemedia.com
The highest SBL source this week is SBL48694 with 13 hits, which is a known spam sending source that was listed at the end of March.
Seven of the top 30 most rejected IP addresses were rejected 100 times
or more this week; the champion is 22.214.171.124 (1107 rejections,
a speedy.com.ar IP address without good reverse DNS), followed
closely by 126.96.36.199 (971 rejections, a rr.com cablemodem)
and 188.8.131.52 (836 rejections, a btcentralplus.com dynamic
machine of some description). Ten of the top 30 are currently
in the CBL, one is in the SBL (184.108.40.206, in SBL21133, listed April
18th 2005 for emitting way too much advance fee fraud spam), three are
bl.spamcop.net, twelve are in the PBL, and a grand total
of 17 of the top 30 are in
(Locally, 13 were rejected as 'dynamic IP', 11 were rejected for having bad or missing reverse DNS, 4 were rejected for being various places we don't talk to any more on account of spam, and two are on the DSBL.)
This week Hotmail had:
- no messages accepted.
- 2 messages rejected because they came from non-Hotmail email addresses.
- 36 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (one in the CBL, one in SBL33955, an advance fee fraud spam source listing from October 24th 2005 (and it was sending through Hotmail back then), and one from saix.net/telkcom.co.za).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading source of bad
HELOs is 220.127.116.11, with 96 rejections.
The leading source of bad bounces was 012.net.il, followed by
earthlink.net and videotron.ca; other bad bounces came from a random
smattering of all over.
Bad bounces were sent to 23 different bad usernames this week. The
leading target, with 39 attempts, was an old user account, long
since removed; after that, with 6 attempts, comes our old friend
noreply. Apart from that, almost all of the bounces went to things
OtisVentura, with a smattering of old local users.