Wandering Thoughts archives


Weekly spam summary on July 7th, 2007

This week, we:

  • got 9,123 messages from 254 different IP addresses.
  • handled 17,076 sessions from 1,364 different IP addresses.
  • received 264,864 connections from at least 70,143 different IP addresses.
  • hit a highwater of 12 connections being checked at once.

Volume has dropped compared to last week, including total messages, which surprises me a bit. As we can see in the per-day table, spammers definitely didn't take the 4th of July off:

Day Connections different IPs
Sunday 32,966 +11,408
Monday 36,064 +10,472
Tuesday 37,471 +10,684
Wednesday 39,405 +8,540
Thursday 35,548 +8,294
Friday 44,618 +11,289
Saturday 38,792 +9,456

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          45750   2379K       32348   1571K cox.net       23367   1059K bellsouth.net      23141   1272K otcpicknews.com          14404    790K        11458    687K        10494    630K         9691    465K adelphia.net           8924    518K          7720    371K

By contrast, volume here is up significantly from last week, with the otcpicknews.com people still valiantly hammering away despite getting nowhere.

  • returns from last week and many weeks before.
  • is beaconresearchnews.com and returns from two weeks ago.
  • kept trying a bad HELO, which we've seen it do before.
  • is SBL49970, and we saw it before two weeks ago.
  • kept trying with a bad HELO.
  • is a Vietnamese IP address with no reverse DNS.

Connection time rejection stats:

 108292 total
  74766 bad or no reverse DNS
  26291 dynamic IP
   5170 class bl-cbl
    408 class bl-pbl
    184 qsnews.net
     99 class bl-dsbl
     92 class bl-sbl
     53 class bl-njabl
     44 class bl-sdul
     42 beaconresearchnews.com

Volume is up significantly from last week, with almost all of it coming from bad reverse DNS issues; the volume jump is even more striking if you look at this compared to two weeks ago.

The highest source of SBL rejections this week was SBL56296 (a compromised PC used for spam) with 17 rejections. After that was SBL53722 (a cavtel.net webmail machine, advance fee fraud) with 15 rejections and SBL49970 with 14 rejections.

Twelve of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is (412 rejections), followed by (391 rejections), (307 rejections), and (224 rejections, on the CBL). All but the last were rejected for bad or missing reverse DNS.

Sixteen of the top 30 are currently in the CBL, three are currently in bl.spamcop.net, twelve are in the PBL, and a grand total of twenty are in zen.spamhaus.org.

(Locally, 20 were rejected for bad or missing reverse DNS, 7 for being dynamic IP addresses, two for being people we don't want to talk to, and one for being in the CBL.)

This week, Hotmail managed:

  • 3 messages accepted.
  • 1 message rejected because it came from a non-Hotmail email address (a msn.com address, as it happens).
  • 50 messages sent to our spamtraps.
  • 3 messages refused because their sender addresses had already hit our spamtraps.
  • 3 messages refused due to their origin IP address (one in the CBL and two from Burkina Faso).
what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 825 99 4120 240
Bad bounces 222 149 688 527

That's certainly a nice improvement from last week. The leading source of bad HELOs this week was with 86 attempts.

Bad bounces were sent to 154 different bad usernames this week, with the most popular one being qp3902 with 32 attempts. The most popular pattern for bad usernames is probably things like RandyGallagher, but we also saw bounce attempts to various others, including things like narunaru-gogo, jmhn, and the ever-popular noreply, along with some ex-users. I will call ezweb.ne.jp the most popular source of bounces, although it's hard to be completely sure; some people send bounces to us from only a few IPs, while others smear them over big clusters of machines.

spam/SpamSummary-2007-07-07 written at 23:47:38; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.