2007-06-09
Weekly spam summary on June 9th, 2007
This week, we:
- got 13,047 messages from 274 different IP addresses.
- handled 19,786 sessions from 1,500 different IP addresses.
- received 255,420 connections from at least 71,636 different IP addresses.
- hit a highwater of 12 connections being checked at once.
The volume is down compared to last week and probably down overall, although not by much. The count of different IP addresses is up a little bit, for what that's worth.
| Day | Connections | different IPs |
| Sunday | 77,507 | +10,880 |
| Monday | 31,169 | +11,486 |
| Tuesday | 31,949 | +11,151 |
| Wednesday | 29,512 | +10,089 |
| Thursday | 29,405 | +9,629 |
| Friday | 33,665 | +11,087 |
| Saturday | 22,213 | +7,314 |
The per day breakdown shows the influence of 213.223.200.15 again; after the Sunday morning reboot that flushed the kernel block table it promptly started hitting us again. It is now in our permanent blocklist, so that won't happen again.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 213.4.149.12 40939 2127K 213.4.149.11 24524 1274K 205.152.59.0/24 23960 1086K bellsouth.net 68.230.240.0/23 23875 1159K cox.net 68.168.78.0/24 14588 700K adelphia.net 204.202.23.184 13339 658K 213.29.7.0/24 8660 518K centrum.cz 204.200.195.201 7180 354K 67.94.63.178 4287 200K 212.216.176.0/24 3431 165K tin.it
The volume here is significantly up compared to last week, led by some extremely prolific sources.
- 213.4.149.11 and 213.4.149.12 are both terra.es machines with bad
HELOnames; the former most recently appeared back in December 2005, while the latter returns from last week. - 204.202.23.184 kept trying to send phish spam email, and we saw it before in February when it was trying the same thing.
- 204.200.195.201 is another place that kept trying to send phish spam.
- 67.94.63.178 kept trying with a bad
HELO.
Connection time rejection stats:
55161 total
28121 dynamic IP
20708 bad or no reverse DNS
4676 class bl-cbl
424 qsnews.net
230 class bl-pbl
188 class bl-dsbl
119 class bl-njabl
110 acceleratebiz.com
79 class bl-sbl
73 class bl-sdul
The highest source of SBL rejections this week was SBL53722 with 37 rejections. This is an April 19th listing for cavtel.net's outgoing webmail server, listed due to it being used for advance fee fraud spam.
Three of the top 30 most rejected IP addresses were rejected 100 times
or more this week; in the lead is 200.121.167.142 with 347 rejections,
blocked for bad reverse DNS and also listed in the CBL. Closely following
it is 216.213.172.8 with 343 rejections, which a qsnews.net machine.
Twelve of the top 30 are currently in the CBL, fifteen are currently in
bl.spamcop.net, thirteen are in the PBL, and a grand total of twenty
one are in zen.spamhaus.org.
(Locally, 17 were rejected for being dynamic IPs, 10 for having bad or missing reverse DNS, 2 for being qsnews.net, and 1 for being in the DSBL.)
This week, Hotmail had:
- 3 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 38 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one in the CBL and one from Cote d'Ivoire).
And the final numbers:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
1232 | 128 | 1369 | 142 |
| Bad bounces | 312 | 177 | 349 | 187 |
This is an improvement over last week, but only a marginal one.
The leading source of bad HELOs this week was 67.92.184.162 with
105 rejections for a HELO name ending in .local. (I see a lot
of bad HELOs ending in .local for some reason.)
Bad bounces were sent to 237 different bad usernames this week, with
the most popular by far being EllisHyatt (47 attempts). A surprising
number of usernames like that were hit twice this week; while that
username pattern continues to be the most popular, various all lower
case usernames made a reasonably strong showing. I suspect that they are
valid usernames somewhere, because they're all over the map in what form
they use, ranging from wada_katsu to mitsu-com to mottetqdd
and whitesnows.
Just like last week, the single largest point source of bad bounces was w3.org. Various other places, including ezweb.ne.jp, Verizon, and Earthlink threw in decent contributions. The remaining bad bounces came from all over.