Weekly spam summary on May 26th, 2007
Unfortunately, our SMTP frontend restarted sometime Friday, so I only have some statistics up until Friday morning. That said, this week we:
- got 10,439 messages from 277 different IP addresses.
- handled 18,746 sessions from 1,402 different IP addresses.
- received 137,918 connections from at least 49,448 different IP addresses up until Friday at 4am.
- hit a highwater of 9 connections being checked at once.
Mashing some data around suggests that the total connection volume over the entire week is at least 165,164 connections, which would put us somewhat up from last week. It's possible that Friday saw a major surge of connections that were not captured in various things.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 32661 1697K 188.8.131.52/24 23363 1059K bellsouth.net 184.108.40.206/24 15685 940K centrum.cz 220.127.116.11/23 14168 688K cox.net 18.104.22.168 9211 442K 22.214.171.124/24 7787 374K adelphia.net 126.96.36.199 7170 344K 188.8.131.52 3917 235K 184.108.40.206 3807 228K 220.127.116.11/24 2978 134K iol.it
Overall volume is down from last week, which I consider good. Unfortunately but predictably, I don't think the advance fee fraud spam webmail sources are doing much about their problem yet.
- 18.104.22.168, mailhost.terra.es, returns from last week and many weeks before.
- 22.214.171.124 and 126.96.36.199 return from last week.
- 188.8.131.52 does not technically return from last week because
it was not in the kernel packet filtering list then, but it was the
HELOsource then and this time it made the top ten.
- 184.108.40.206 was also listed for repeatedly trying a bad
HELO, and returns from early January.
Connection time rejection stats:
44597 total 24119 dynamic IP 14810 bad or no reverse DNS 4267 class bl-cbl 249 qsnews.net 241 class bl-pbl 152 dartmail.net 137 acceleratebiz.com 88 class bl-sbl 82 class bl-dsbl 80 class bl-sdul 40 class bl-njabl 30 220.127.116.11/24
The highest source of SBL rejections this week was SBL51583 with 22 rejections; it is a listing from February 23rd for a hijacked 'serverkompetenz.net' machine. The next highest source (at 18 rejections) is for an IP address that has now been removed from the SBL; I suspect that it was a hijacked machine that got cleaned up.
Five of the top 30 most rejected IP addresses were rejected 100 times or more this week; the champion is 18.104.22.168 (326 rejections, for bad or missing reverse DNS), followed by 22.214.171.124 (228 rejections, qsnews.net), 126.96.36.199 (191 rejections, in the CBL), 188.8.131.52 (162 rejections, a tpnet.pl ADSL customer), and 184.108.40.206 (145 rejections, for bad or missing reverse DNS).
(Checking what else is hanging out in 220.127.116.11/24, I am somehow not surprised to find signs of otcpicksnews.com.)
Eleven out of the top 30 most rejected IP addresses are currently
in the CBL, two are in the SBL (18.104.22.168 is in SBL21134 and SBL43951, a /23
and a /22 listing for advance fee fraud from Senegal that date
from May and July of 2006, and 22.214.171.124 is in SBL21129, another
listing for Senegal advance fee fraud spam sources, this time dating
from November 2004), seven are currently in
eighteen are in the PBL, and a grand total of 21 out of the 30 are in
zen.spamhaus.org. Lest I become too enthused about zen.spamhaus.org
agreeing with me, only six of our top ten are in it.
(Locally, 15 were rejected as dynamic IP addresses, 13 for having bad or missing reverse DNS, one for being qsnews.net, and one for being in the CBL.)
This week, Hotmail had:
- 4 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 36 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- 6 messages refused due to their origin IP address (two from the Cote d'Ivoire, one in the CBL, one in SBL33810, one from Nigeria, and one from saix.net).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
There was no particular active bad
HELO source this week (probably
partly because I blocked some of them early).
Bad bounces were sent to 173 different bad usernames this week, with the
most popular one being
raebynum with five attempts. The bad usernames
are all over the map this week, but the most popular sort seems to be
JewelZavala. For amusement, there was one attempt to deliver
a bounce to the username
user. Bounces came from all over, with Verizon
and Earthlink still up in the list but being challenged by sites in the
Far East (including Japan and Taiwan), Australia, and various other places.