Weekly spam summary on June 23rd, 2007
This week, we:
- got 10,190 messages from 259 different IP addresses.
- handled 18,093 sessions from 1,527 different IP addresses.
- received 223,304 connections from at least 76,627 different IP addresses.
- hit a highwater of 10 connections being checked at once.
This is up a bit from last week in both connection volume and the number of different IPs trying to talk to us.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168/23 32271 1566K cox.net 22.214.171.124 21370 1109K 126.96.36.199/24 21336 966K bellsouth.net 188.8.131.52/24 12143 581K adelphia.net 184.108.40.206/27 11948 662K 220.127.116.11 9476 528K 18.104.22.168 8723 519K 22.214.171.124 4182 217K 126.96.36.199 4062 190K 188.8.131.52/24 3511 169K tin.it
Volume is about the same as last week. The 184.108.40.206/27 netblock is blocked because of otcpicknews.com et al; I put them in the kernel blocks after I got tired of them hammering on us.
- 220.127.116.11 and 18.104.22.168 return from last week and many previous appearances.
- 22.214.171.124 is beaconresearchnews.com. We have decided that we don't want to talk to them.
- 126.96.36.199 aka 50-off.com.tw is in SBL49970, which dates from 11 January 2007.
- 188.8.131.52 is something we consider a dynamic IP address.
Connection time rejection stats:
65450 total 29813 dynamic IP 28601 bad or no reverse DNS 5249 class bl-cbl 315 qsnews.net 232 class bl-pbl 142 class bl-sbl 141 beaconresearchnews.com 125 class bl-dsbl 120 dartmail.net 85 class bl-sdul 43 184.108.40.206/24 aka IBS Hosting Corp 37 class bl-njabl
The highest source of SBL rejections this week was SBL55809 with 33 rejections, followed by SBL50728 with 26 and SBL49970 with 23 rejections. All of them are listed as spam sources, with various degrees of involvement in the spam imputed in the SBL listings.
Nine of the top 30 most rejected IP addresses were rejected 100 times
or more; the grand champion is 220.127.116.11 with 1,840 rejections
(for having no reverse DNS). Dishonorable mentions must also go to
18.104.22.168 (716 rejections, bad reverse DNS and in the CBL and PBL)
and 22.214.171.124 (360 rejections, bad reverse DNS, merely in the PBL).
Six of the top 30 are currently in the CBL, eleven are currently in
bl.spamcop.net, thirteen are in the PBL, and a grand total of 17
are in zen.spamhaus.org.
(Locally, 16 were rejected for bad or missing reverse DNS, 9 for being dynamic IPs, three for being people we didn't want to talk to, and one each for being in the PBL and the DSBL.)
This week, Hotmail had:
- 4 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 40 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 4 messages refused due to their origin IP address (one in the CBL, one in SBL51849, one from Burkina Faso, and one from a South African wireless company).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading source of bad
HELOs this week was 126.96.36.199 (111
rejections), followed by 188.8.131.52 (81 rejections) and
184.108.40.206 (77 rejections). The latter two used
.local, as did any number of other lower-scoring people.
Bad bounces were sent to 262 different bad usernames, with the
most popular one being
VirginiaPerkins with 10 attempts. This
bad username pattern dominated the overall most popular pattern,
with only a few other patterns showing up (including a few old
ex-users). Bounces came from all over, with no particular large
single source that I can pick out right now.