Weekly spam summary on June 30th, 2007
This week, we:
- got 10,108 messages from 265 different IP addresses.
- handled 22,107 sessions from 2,055 different IP addresses.
- received 271,991 connections from at least 75,816 different IP addresses.
- hit a highwater of 13 connections being checked at once.
Volume is definitely up from last week. As the per day table illustrates, spammers seem to still prefer Wednesday for their big day:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 48724 2534K 126.96.36.199/24 18437 836K bellsouth.net 188.8.131.52/27 17088 944K otcpicknews.com 184.108.40.206/23 16148 784K cox.net 220.127.116.11 12468 584K 18.104.22.168 11273 556K 22.214.171.124/24 10395 499K adelphia.net 126.96.36.199 5511 331K 188.8.131.52 4850 266K 184.108.40.206 4122 198K
Here too volume is up from last week, although not as much.
- 220.127.116.11 returns from last week and many prior appearances, once again showing no signs of giving up.
- 18.104.22.168 also returns from last week. As it happens, they appear to be 'thegrantinstitute.com' (according to their SMTP banner), which is someone we don't want to talk to anyways.
- 22.214.171.124 kept trying to send us phish spam.
- 126.96.36.199 is in hostnoc.net space and doesn't have working reverse DNS.
- 188.8.131.52 kept trying to send mail with an origin address that had already tripped our spamtraps.
- 184.108.40.206 kept trying a bad
Connection time rejection stats:
85848 total 48063 bad or no reverse DNS 30626 dynamic IP 5052 class bl-cbl 318 class bl-pbl 249 qsnews.net 164 dartmail.net 110 class bl-dsbl 96 class bl-sdul 85 class bl-sbl 42 220.127.116.11/24 30 class bl-njabl
The highest source of SBL rejections this week was technically 18.104.22.168 with 16 rejections, but their SBL record has already been removed; since this is zipmail.com.br, I will speculate wildly that they were listed for sourcing lots of advance fee fraud spam, which is certainly why we don't talk to them. After that was SBL56008 with 13 rejections and SBL53722 with 10 rejections; both of them seem to have been listed as advance fee fraud spam sources.
Nine of the top 30 most rejected IP addresses were rejected 100 times or more; the champion is 22.214.171.124 (1,296 rejections), followed by 126.96.36.199 (750 rejections), 188.8.131.52 (437 rejections, bad), 184.108.40.206 (362 rejections), and 220.127.116.11 (178 rejections). All of them were rejected for bad or missing reverse DNS, but except for 18.104.22.168, of them are also on either or both of the CBL and the PBL.
Thirteen of the top 30 are currently in the CBL, two are in the SBL (in
is a depressing March 22nd listing of a Chinese /18 for spammer hosting),
five are currently in
bl.spamcop.net, eleven are in the PBL, and a
grand total of 17 are in zen.spamhaus.org.
(Locally, 22 were rejected for bad or missing reverse DNS, 4 for being dynamic IPs, and 4 for being various people we don't want to talk to.)
This week, Hotmail had:
- 5 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 39 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 13 messages refused due to their origin IP address (eight in the CBL, two in SBL21128, one in SBL47233, one from Nigeria, and one from Burkina Faso).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Things got bad this week. While I expected to find a big source or
two of bad
HELOs, the leading source this week was 22.214.171.124
with only 132 attempts, followed by 126.96.36.199 (83). Apparently
there were just more people this week in the 30 to 60 attempts range.
Bad bounces were sent to 276 different bad usernames this week, with
the most popular one by far being
jtpnu with 130 attempts, followed
hvd with 68,
pnu with 61,
tpnu with 58,
dnwga with 35,
vdnw with 31. Various patterns show up, including a surprising
number that look Japanese, and to be generic there was a
fred and a
hello-everybody (along with a few ex-users).