Wandering Thoughts archives

2007-07-21

Weekly spam summary on July 21st, 2007

This week, we:

  • got 12,549 messages from 259 different IP addresses.
  • handled 19,129 sessions from 1,520 different IP addresses.
  • received 291,606 connections from at least 79,247 different IP addresses.
  • hit a highwater of 8 connections being checked at once.

Connection volume is up pretty noticeably from last week. Connection volume fluctuated over the map over the week:

Day Connections different IPs
Sunday 31,555 +10,497
Monday 42,627 +13,490
Tuesday 51,031 +13,379
Wednesday 48,042 +12,291
Thursday 47,331 +11,707
Friday 39,278 +9,727
Saturday 31,742 +8,156

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          43855   2281K terra.es
68.230.240.0/23       39764   1931K cox.net
195.238.6.226         22971   1103K
205.152.59.0/24       21039    954K bellsouth.net
213.29.7.0/24         18151   1089K centrum.cz
196.28.61.0/24        10680    513K
212.175.13.129         9065    544K
202.161.93.77          8000    439K
74.128.0.0/24          3162    147K insightbb.com
216.213.172.11         3129    172K

Volume is up from last week, although not hugely, and it is more unevenly distributed; the top is higher and the bottom is lower. We have insightbb.com blocked as a source of webmail based advance fee fraud, like the other /24s on the list.

  • 195.238.6.226 is a skynet.be/belgacom.be machine; we haven't talked to them for some time for various reasons.
  • 212.175.13.129 returns from earlier this month and several times before, still trying a bad HELO.
  • 202.161.93.77 is an APNIC IP address with bad reverse DNS.
  • 216.213.172.11 is still a qsnews.net machine, just as it was last week.

I continue to be impressed with how qsnews.net is not on various DNS blocklists; I have no idea how they manage it.

Connection time rejection stats:

 115523 total
  68833 bad or no reverse DNS
  38937 dynamic IP
   6058 class bl-cbl
    263 class bl-pbl
    192 qsnews.net
     93 class bl-sbl
     75 class bl-dsbl
     72 reliablehosting.com
     24 acceleratebiz.com
      9 class bl-njabl
      2 class bl-sdul

It is hard to contain myself about the amazing coincidence that nine different acceleratebiz.com IPs, each with a different domain name, all tried to send us email this week (sometimes multiple times). I'm sure it's also a coincidence that most of them appear to have the same do-nothing website, too.

The highest source of SBL rejections this week was SBL48694 (the artists-networkinfo.com known spammers, listed 24 June) with 35 rejections. Second place goes to SBL53722 (cavtel.net, advance fee fraud spam, listed 19 April) with 15 rejections.

Ten of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 196.218.140.174 (652 rejections), with (dis)honorable mentions for 217.54.2.210 (330 rejections), and 220.192.171.108 (297 rejections). All got rejected for having bad or missing reverse DNS.

Sixteen of the top 30 are currently in the CBL, two are currently in bl.spamcop.net, thirteen are in the PBL, and a grand total of twenty three are in zen.spamhaus.org.

(Locally, 24 were rejected for bad or missing reverse DNS, four for being people we don't want to talk to, and two for being classified as dynamic IPs.)

This week Hotmail had:

  • 6 messages accepted; I'm reasonably sure that at least three of them were spam.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 39 messages sent to our spamtraps.
  • 1 message refused because its sender address had already hit our spamtraps.
  • 4 messages refused due to their origin IP address (one in the CBL, two from the Cote d'Ivoire, and one from a South African wireless ISP).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1120 113 705 95
Bad bounces 350 210 219 94

This week is distinctly worse than last week. The leading sources of bad HELO attempts this week were 70.136.191.16 (118 attempts) and 216.23.126.213 (105 attempts); both were using names that ended in .local.

Bad bounces were sent to 318 different bad usernames this week, with the most popular one being a tie between charron and LucasLaird with 4 attempts each; last week's qp3902 made one appearance. I am not going to try to assess what bad user name pattern was the most prevalent; interesting bad usernames included the minimalistic s, the all-digits 405, the interesting mayumi-totoro and kinako-cat, and the peculiar 0ue38815349020h. A number were sent to ex-users.

The dominant bad bounce source this week seems to be Japan, especially ezweb.ne.jp; it is awfully tempting to block them entirely, since they haven't sent us any actual email in at least the past month and they keep doing this. But if I went down that road, there are any number of ISPs that would make the list.

spam/SpamSummary-2007-07-21 written at 23:36:52; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.