Weekly spam summary on June 16th, 2007
This week, we:
- got 10,437 messages from 238 different IP addresses.
- handled 19,475 sessions from 1,336 different IP addresses.
- received 213,499 connections from at least 71,964 different IP addresses.
- hit a highwater of 8 connections being checked at once.
This is down from last week on the absolute numbers, but may be up somewhat if we exclude the effects of the one prolific connector from last week's numbers. On the other hand, the per day numbers are floating all over the map:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168/23 30243 1469K cox.net 22.214.171.124/24 23438 1063K bellsouth.net 126.96.36.199 20606 1075K 188.8.131.52/24 13129 630K adelphia.net 184.108.40.206 8783 411K 220.127.116.11 8629 518K 18.104.22.168 8429 438K 22.214.171.124 8220 384K 126.96.36.199 4791 224K 188.8.131.52 4128 193K
This is down from last week, and also only a few bad webmail sources have made the top ten this time around; for once, most of them are individual IPs.
- 184.108.40.206 and 220.127.116.11 return from last week and many previous engagements.
- 18.104.22.168 is in NJABL.
- 22.214.171.124 was in the SBL, but the listing has been removed since it started banging on the door.
- 126.96.36.199 is something we consider a dynamic IP, and returns from two weeks ago.
- 188.8.131.52 kept trying to send us phish spam that had already tripped our spamtraps.
- 184.108.40.206 kept trying with a bad
Connection time rejection stats:
58982 total 29047 dynamic IP 23305 bad or no reverse DNS 4801 class bl-cbl 316 qsnews.net 314 class bl-dsbl 271 class bl-njabl 180 class bl-pbl 176 class bl-sbl 62 220.127.116.11/24 37 acceleratebiz.com 33 class bl-sdul
The funny /24 is 'IBS Hosting Corp' aka web1host.net of Tampa Florida, and we have seen them before. The highest source of SBL rejections this week was 18.104.22.168 with 87 rejections, but its SBL listing has been removed, so the highest source still in the SBL is SBL55450 (24 rejections, a spam source), followed by SBL54907 (23 rejections, a virus spam source).
(Some trawling in news.admin.net-abuse.sightings suggests that we do not want to talk to 22.214.171.124 aka ebizlatin.com even if the SBL no longer lists them, so I have added them to our local blocklist.)
Four of the top 30 most rejected IP addresses were rejected 100 times
or more this week, with the leader being 126.96.36.199 (237 rejections
for being a qsnews.net machine). Nine of the top 30 are currently in the
CBL, seven are currently in
bl.spamcop.net, seven are in the PBL, and
a grand total of fourteen of the 30 are in zen.spamhaus.org.
(Locally, 14 were rejected for missing or bad reverse DNS, 9 for being dynamic IPs, 3 for being people we don't want to talk to, 2 for being in the DSBL, one for being in the SBL, and one for being in the NJABL.)
This week, Hotmail had:
- 2 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 48 messages sent to our spamtraps.
- 6 messages refused because their sender addresses had already hit our spamtraps.
- 9 messages refused due to their origin IP address (three for being in the CBL, two for being in SBL52368 two for being from Burkina Faso, one for being from SAIX, and one for being in SBL32972, a listing from November 2005).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leader sources of bad
HELOs this week are 188.8.131.52 (154
rejections), 184.108.40.206 (104 rejections), and 220.127.116.11 (77
rejections). Only one of them used a clearly bogus
HELO name; the
others just picked unresolvable ones.
Bad bounces were sent to 178 different bad usernames this week; the most
popular position is a seven-way tie between
DariusEsparza, each of which had two attempts. This also neatly shows
which sort of bad usernames were the most popular overall, although we
saw a few odd ones like
har-miy. No particular source of bad bounces
stands out; contributions came from what are by now all of the usual