Weekly spam summary on July 7th, 2007
This week, we:
- got 9,123 messages from 254 different IP addresses.
- handled 17,076 sessions from 1,364 different IP addresses.
- received 264,864 connections from at least 70,143 different IP addresses.
- hit a highwater of 12 connections being checked at once.
Volume has dropped compared to last week, including total messages, which surprises me a bit. As we can see in the per-day table, spammers definitely didn't take the 4th of July off:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 45750 2379K 188.8.131.52/23 32348 1571K cox.net 184.108.40.206/24 23367 1059K bellsouth.net 220.127.116.11/27 23141 1272K otcpicknews.com 18.104.22.168 14404 790K 22.214.171.124 11458 687K 126.96.36.199 10494 630K 188.8.131.52/24 9691 465K adelphia.net 184.108.40.206 8924 518K 220.127.116.11 7720 371K
By contrast, volume here is up significantly from last week, with the otcpicknews.com people still valiantly hammering away despite getting nowhere.
- 18.104.22.168 returns from last week and many weeks before.
- 22.214.171.124 is beaconresearchnews.com and returns from two weeks ago.
- 126.96.36.199 kept trying a bad
HELO, which we've seen it do before.
- 188.8.131.52 is SBL49970, and we saw it before two weeks ago.
- 184.108.40.206 kept trying with a bad
- 220.127.116.11 is a Vietnamese IP address with no reverse DNS.
Connection time rejection stats:
108292 total 74766 bad or no reverse DNS 26291 dynamic IP 5170 class bl-cbl 408 class bl-pbl 184 qsnews.net 99 class bl-dsbl 92 class bl-sbl 53 class bl-njabl 44 class bl-sdul 42 beaconresearchnews.com
The highest source of SBL rejections this week was SBL56296 (a compromised PC used for spam) with 17 rejections. After that was SBL53722 (a cavtel.net webmail machine, advance fee fraud) with 15 rejections and SBL49970 with 14 rejections.
Twelve of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 18.104.22.168 (412 rejections), followed by 22.214.171.124 (391 rejections), 126.96.36.199 (307 rejections), and 188.8.131.52 (224 rejections, on the CBL). All but the last were rejected for bad or missing reverse DNS.
Sixteen of the top 30 are currently in the CBL, three are currently
bl.spamcop.net, twelve are in the PBL, and a grand total of
twenty are in zen.spamhaus.org.
(Locally, 20 were rejected for bad or missing reverse DNS, 7 for being dynamic IP addresses, two for being people we don't want to talk to, and one for being in the CBL.)
This week, Hotmail managed:
- 3 messages accepted.
- 1 message rejected because it came from a non-Hotmail email address (a msn.com address, as it happens).
- 50 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (one in the CBL and two from Burkina Faso).
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
That's certainly a nice improvement from last week. The leading
source of bad
HELOs this week was 184.108.40.206 with 86 attempts.
Bad bounces were sent to 154 different bad usernames this week, with
the most popular one being
qp3902 with 32 attempts. The most popular
pattern for bad usernames is probably things like
we also saw bounce attempts to various others, including things like
jmhn, and the ever-popular
noreply, along with
some ex-users. I will call ezweb.ne.jp the most popular source of
bounces, although it's hard to be completely sure; some people send
bounces to us from only a few IPs, while others smear them over big
clusters of machines.