Wandering Thoughts archives


Weekly spam summary on June 9th, 2007

This week, we:

  • got 13,047 messages from 274 different IP addresses.
  • handled 19,786 sessions from 1,500 different IP addresses.
  • received 255,420 connections from at least 71,636 different IP addresses.
  • hit a highwater of 12 connections being checked at once.

The volume is down compared to last week and probably down overall, although not by much. The count of different IP addresses is up a little bit, for what that's worth.

Day Connections different IPs
Sunday 77,507 +10,880
Monday 31,169 +11,486
Tuesday 31,949 +11,151
Wednesday 29,512 +10,089
Thursday 29,405 +9,629
Friday 33,665 +11,087
Saturday 22,213 +7,314

The per day breakdown shows the influence of again; after the Sunday morning reboot that flushed the kernel block table it promptly started hitting us again. It is now in our permanent blocklist, so that won't happen again.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          40939   2127K          24524   1274K       23960   1086K bellsouth.net       23875   1159K cox.net        14588    700K adelphia.net        13339    658K          8660    518K centrum.cz        7180    354K           4287    200K       3431    165K tin.it

The volume here is significantly up compared to last week, led by some extremely prolific sources.

  • and are both terra.es machines with bad HELO names; the former most recently appeared back in December 2005, while the latter returns from last week.
  • kept trying to send phish spam email, and we saw it before in February when it was trying the same thing.
  • is another place that kept trying to send phish spam.
  • kept trying with a bad HELO.

Connection time rejection stats:

  55161 total
  28121 dynamic IP
  20708 bad or no reverse DNS
   4676 class bl-cbl
    424 qsnews.net
    230 class bl-pbl
    188 class bl-dsbl
    119 class bl-njabl
    110 acceleratebiz.com
     79 class bl-sbl
     73 class bl-sdul

The highest source of SBL rejections this week was SBL53722 with 37 rejections. This is an April 19th listing for cavtel.net's outgoing webmail server, listed due to it being used for advance fee fraud spam.

Three of the top 30 most rejected IP addresses were rejected 100 times or more this week; in the lead is with 347 rejections, blocked for bad reverse DNS and also listed in the CBL. Closely following it is with 343 rejections, which a qsnews.net machine. Twelve of the top 30 are currently in the CBL, fifteen are currently in bl.spamcop.net, thirteen are in the PBL, and a grand total of twenty one are in zen.spamhaus.org.

(Locally, 17 were rejected for being dynamic IPs, 10 for having bad or missing reverse DNS, 2 for being qsnews.net, and 1 for being in the DSBL.)

This week, Hotmail had:

  • 3 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 38 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one in the CBL and one from Cote d'Ivoire).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1232 128 1369 142
Bad bounces 312 177 349 187

This is an improvement over last week, but only a marginal one. The leading source of bad HELOs this week was with 105 rejections for a HELO name ending in .local. (I see a lot of bad HELOs ending in .local for some reason.)

Bad bounces were sent to 237 different bad usernames this week, with the most popular by far being EllisHyatt (47 attempts). A surprising number of usernames like that were hit twice this week; while that username pattern continues to be the most popular, various all lower case usernames made a reasonably strong showing. I suspect that they are valid usernames somewhere, because they're all over the map in what form they use, ranging from wada_katsu to mitsu-com to mottetqdd and whitesnows.

Just like last week, the single largest point source of bad bounces was w3.org. Various other places, including ezweb.ne.jp, Verizon, and Earthlink threw in decent contributions. The remaining bad bounces came from all over.

spam/SpamSummary-2007-06-09 written at 23:40:37; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.