Wandering Thoughts archives

2007-06-23

Weekly spam summary on June 23rd, 2007

This week, we:

  • got 10,190 messages from 259 different IP addresses.
  • handled 18,093 sessions from 1,527 different IP addresses.
  • received 223,304 connections from at least 76,627 different IP addresses.
  • hit a highwater of 10 connections being checked at once.

This is up a bit from last week in both connection volume and the number of different IPs trying to talk to us.

Day Connections different IPs
Sunday 26,556 +10,547
Monday 36,931 +12,843
Tuesday 33,743 +12,127
Wednesday 40,667 +13,267
Thursday 28,317 +9,957
Friday 31,912 +9,897
Saturday 25,178 +7,989

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       32271   1566K cox.net
213.4.149.12          21370   1109K
205.152.59.0/24       21336    966K bellsouth.net
68.168.78.0/24        12143    581K adelphia.net
206.123.109.0/27      11948    662K
72.249.13.81           9476    528K
203.204.118.61         8723    519K
213.4.149.11           4182    217K
68.167.174.246         4062    190K
212.216.176.0/24       3511    169K tin.it

Volume is about the same as last week. The 206.123.109.0/27 netblock is blocked because of otcpicknews.com et al; I put them in the kernel blocks after I got tired of them hammering on us.

  • 213.4.149.12 and 213.4.149.11 return from last week and many previous appearances.
  • 72.249.13.81 is beaconresearchnews.com. We have decided that we don't want to talk to them.
  • 203.204.118.61 aka 50-off.com.tw is in SBL49970, which dates from 11 January 2007.
  • 68.167.174.246 is something we consider a dynamic IP address.

Connection time rejection stats:

  65450 total
  29813 dynamic IP
  28601 bad or no reverse DNS
   5249 class bl-cbl
    315 qsnews.net
    232 class bl-pbl
    142 class bl-sbl
    141 beaconresearchnews.com
    125 class bl-dsbl
    120 dartmail.net
     85 class bl-sdul
     43 216.75.6.0/24 aka IBS Hosting Corp
     37 class bl-njabl

The highest source of SBL rejections this week was SBL55809 with 33 rejections, followed by SBL50728 with 26 and SBL49970 with 23 rejections. All of them are listed as spam sources, with various degrees of involvement in the spam imputed in the SBL listings.

Nine of the top 30 most rejected IP addresses were rejected 100 times or more; the grand champion is 203.156.70.57 with 1,840 rejections (for having no reverse DNS). Dishonorable mentions must also go to 189.171.181.218 (716 rejections, bad reverse DNS and in the CBL and PBL) and 201.79.147.166 (360 rejections, bad reverse DNS, merely in the PBL). Six of the top 30 are currently in the CBL, eleven are currently in bl.spamcop.net, thirteen are in the PBL, and a grand total of 17 are in zen.spamhaus.org.

(Locally, 16 were rejected for bad or missing reverse DNS, 9 for being dynamic IPs, three for being people we didn't want to talk to, and one each for being in the PBL and the DSBL.)

This week, Hotmail had:

  • 4 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 40 messages sent to our spamtraps.
  • 3 messages refused because their sender addresses had already hit our spamtraps.
  • 4 messages refused due to their origin IP address (one in the CBL, one in SBL51849, one from Burkina Faso, and one from a South African wireless company).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1072 136 1557 118
Bad bounces 327 194 185 141

The leading source of bad HELOs this week was 70.147.170.18 (111 rejections), followed by 207.30.12.132 (81 rejections) and 69.15.68.98 (77 rejections). The latter two used HELO names ending in .local, as did any number of other lower-scoring people.

Bad bounces were sent to 262 different bad usernames, with the most popular one being VirginiaPerkins with 10 attempts. This bad username pattern dominated the overall most popular pattern, with only a few other patterns showing up (including a few old ex-users). Bounces came from all over, with no particular large single source that I can pick out right now.

spam/SpamSummary-2007-06-23 written at 23:44:44; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.