Weekly spam summary on June 9th, 2007
This week, we:
- got 13,047 messages from 274 different IP addresses.
- handled 19,786 sessions from 1,500 different IP addresses.
- received 255,420 connections from at least 71,636 different IP addresses.
- hit a highwater of 12 connections being checked at once.
The volume is down compared to last week and probably down overall, although not by much. The count of different IP addresses is up a little bit, for what that's worth.
The per day breakdown shows the influence of 18.104.22.168 again; after the Sunday morning reboot that flushed the kernel block table it promptly started hitting us again. It is now in our permanent blocklist, so that won't happen again.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 40939 2127K 126.96.36.199 24524 1274K 188.8.131.52/24 23960 1086K bellsouth.net 184.108.40.206/23 23875 1159K cox.net 220.127.116.11/24 14588 700K adelphia.net 18.104.22.168 13339 658K 22.214.171.124/24 8660 518K centrum.cz 126.96.36.199 7180 354K 188.8.131.52 4287 200K 184.108.40.206/24 3431 165K tin.it
The volume here is significantly up compared to last week, led by some extremely prolific sources.
- 220.127.116.11 and 18.104.22.168 are both terra.es machines with bad
HELOnames; the former most recently appeared back in December 2005, while the latter returns from last week.
- 22.214.171.124 kept trying to send phish spam email, and we saw it before in February when it was trying the same thing.
- 126.96.36.199 is another place that kept trying to send phish spam.
- 188.8.131.52 kept trying with a bad
Connection time rejection stats:
55161 total 28121 dynamic IP 20708 bad or no reverse DNS 4676 class bl-cbl 424 qsnews.net 230 class bl-pbl 188 class bl-dsbl 119 class bl-njabl 110 acceleratebiz.com 79 class bl-sbl 73 class bl-sdul
The highest source of SBL rejections this week was SBL53722 with 37 rejections. This is an April 19th listing for cavtel.net's outgoing webmail server, listed due to it being used for advance fee fraud spam.
Three of the top 30 most rejected IP addresses were rejected 100 times
or more this week; in the lead is 184.108.40.206 with 347 rejections,
blocked for bad reverse DNS and also listed in the CBL. Closely following
it is 220.127.116.11 with 343 rejections, which a qsnews.net machine.
Twelve of the top 30 are currently in the CBL, fifteen are currently in
bl.spamcop.net, thirteen are in the PBL, and a grand total of twenty
one are in zen.spamhaus.org.
(Locally, 17 were rejected for being dynamic IPs, 10 for having bad or missing reverse DNS, 2 for being qsnews.net, and 1 for being in the DSBL.)
This week, Hotmail had:
- 3 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 38 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one in the CBL and one from Cote d'Ivoire).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This is an improvement over last week, but only a marginal one.
The leading source of bad
HELOs this week was 18.104.22.168 with
105 rejections for a
HELO name ending in
.local. (I see a lot
HELOs ending in
.local for some reason.)
Bad bounces were sent to 237 different bad usernames this week, with
the most popular by far being
EllisHyatt (47 attempts). A surprising
number of usernames like that were hit twice this week; while that
username pattern continues to be the most popular, various all lower
case usernames made a reasonably strong showing. I suspect that they are
valid usernames somewhere, because they're all over the map in what form
they use, ranging from
Just like last week, the single largest point source of bad bounces was w3.org. Various other places, including ezweb.ne.jp, Verizon, and Earthlink threw in decent contributions. The remaining bad bounces came from all over.