Wandering Thoughts archives

2007-05-19

Weekly spam summary on May 19th, 2007

This week, we:

  • got 10,112 messages from 256 different IP addresses.
  • handled 17,652 sessions from 1,101 different IP addresses.
  • received 154,723 connections from at least 52,588 different IP addresses.
  • hit a highwater of 10 connections being checked at once.

Volume is definitely down compared to last week, although the connection highwater is the same. In fact I believe this is about the lowest it's been in a while. The per day table is pretty flat:

Day Connections different IPs
Sunday 21,494 +8,681
Monday 23,915 +7,719
Tuesday 24,752 +8,314
Wednesday 19,784 +6,416
Thursday 24,210 +7,165
Friday 22,797 +7,834
Saturday 17,771 +6,459

Wednesday stands out so much that I find myself wondering if we had some sort of Internet connectivity interruption then. (Not that I noticed.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          40667   2115K
81.29.198.11          27795   1667K
205.152.59.0/24       23790   1078K bellsouth.net
68.230.240.0/23       23148   1124K cox.net
68.168.78.0/24        14972    719K adelphia.net
213.29.7.0/24         12577    754K centrum.cz
216.75.6.165           8532    409K
61.9.154.105           6427    308K
61.9.149.224           5621    270K
209.159.39.221         5184    311K

The big advance fee fraud spam webmail sources did not so much drop as get displaced by other, more active places; kernel rejection volume is up significantly from last week.

  • 213.4.149.12, mailhost.terra.es, returns from last week and many previous weeks.
  • 81.29.198.11 is blocked for being a phish spam source.
  • 216.75.6.165 returns from last week, still in a /24 apparently colonized by a spammer.
  • 61.9.154.105 and 61.9.149.224 were rejected for being bigpond.net.au generic customers, and on checking I see that they are both on the CBL and one is even SBL54740.
  • 209.159.39.221 is in the SORBS DUL.

Connection time rejection stats:

  39266 total
  19977 dynamic IP
  13568 bad or no reverse DNS
   4192 class bl-cbl
    382 qsnews.net
    172 class bl-dsbl
    115 class bl-sdul
    113 acceleratebiz.com
    110 class bl-pbl
     93 dartmail.net
     69 reliablehosting.com
     51 class bl-njabl
     48 class bl-sbl
     35 216.75.6.0/24

The highest source of SBL rejections this week is SBL30718 at 11 rejections (a Septh 4th 2005 /24 listing for too much advance fee fraud spam), followed by SBL50181 at 10 rejections (microcamp.com.br, which we've seen many times before). It's kind of depressing that even the SBL hasn't been able to get these people to take notice and fix their problems.

Only one of the top 30 most rejected IP addresses was rejected 100 times or more this week: 216.213.172.11, part of our qsnews.net block, was rejected 300 times. Seven out of the top 30 are currently in the CBL, eighteen are currently in bl.spamcop.net, fifteen are in the PBL, and a grand total of 19 are in zen.spamhaus.org.

(Locally, 21 were rejected as dynamic IP addresses, 4 for having bad or missing reverse DNS, three for being from places we don't want to talk to any more, and one for being in the SORBS DUL and one for being in the DSBL.)

This week Hotmail had:

  • no messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 53 messages sent to our spamtraps.
  • 5 messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one in the CBL and one from Senegal).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 769 62 1833 172
Bad bounces 52 25 452 423

This is a welcome decline from last week. The leading source of bad HELOs was 67.126.132.83 (97 tries), followed by 202.64.172.140 and 65.75.64.3 (each with 70 tries).

Bad bounces were sent to 50 different bad usernames this week, with the most popular being a tie between yuri0814 and JeanChang at two each. Bad usernames like LamarByrne completely dominated the list, with only one ex-user and a few things like khw and a-k511. This week Verizon totally dominates as the origin, with softbank.ne.jp and Earthlink more or distantly tied for the second spot.

spam/SpamSummary-2007-05-19 written at 23:28:34;


Page tools: See As Normal.
Search:
Login: Password:

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.