Wandering Thoughts archives

2007-10-06

Weekly spam summary on October 6th, 2007

Unfortunately, our SMTP frontend died Thursday afternoon, so some of our usual stats are approximations or partial stats. Having said that, this week we:

  • got 11,577 messages from 283 different IP addresses.
  • handled 20,711 sessions from 1,929 different IP addresses.
  • received at least 317,396 connections from at least 73,000 different IP addresses.
  • hit a highwater of 38 connections being checked at once.

In specific, we got 184,251 connections from at least 73,605 different IP addresses through Thursday morning at 4am, and then 133,145 connections from at least 52,709 different IP addresses since 2:40pm Thursday. Connection volume is up a bit from last week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
72.249.13.64/26       36754   2016K otcpicknews.com
213.180.130.0/24      27166   1630K onet.pl
213.29.7.0/24          9983    599K centrum.cz
68.230.240.0/23        7805    379K cox.net
68.168.78.0/24         6797    326K adelphia.net
71.165.18.155          6369    298K
204.127.225.0/24       6077    389K comcast.net
206.18.177.0/24        5737    367K comcast.net
70.60.187.42           5008    240K
218.0.0.0/16           4897    235K CHINANET

Total volume is slightly up from last week. Strikingly, only two of the top ten this week are individual IP addresses, although this is the first time in a while that a large netblock has made the top ten.

  • 71.165.18.155 kept trying to send us phish spam that had already tripped our spamtraps.
  • 70.60.187.42 is on the DSBL.

Connection time rejection stats:

 114152 total
  52897 dynamic IP
  52569 bad or no reverse DNS
   5520 class bl-cbl
   1119 class bl-pbl
    309 class bl-sdul
    309 class bl-dsbl
    161 acceleratebiz.com
     87 qsnews.net
     85 class bl-sbl
     75 class bl-njabl
     53 officepubs.com

Volume is up significantly from last week. The highest source of SBL rejections this week was the same as last week; SBL58952, with 22 rejections, followed by SBL39831 with 20 rejections (spam emitters since 23 May 2006) and SBL48694 with 10 rejections (also returning from last week).

Nine of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 88.245.33.111 (527 rejections), followed by 59.93.10.75 (241 rejections) and 85.101.255.175 (230 rejections). Fifteen of the top 30 are currently in the CBL, two are currently in bl.spamcop.net, sixteen are in the PBL, and a grand total of 18 are in zen.spamhaus.org.

(Locally, 23 were rejected for bad or missing reverse DNS, 4 for being something we considered a dynamic IP address, 1 for being qsnews.net, 1 for being in AccelerateBiz space, and one for being in the DSBL.)

This week, Hotmail had:

  • 1 message accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 41 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 8 messages refused due to their origin IP address (four from the Cote d'Ivoire, two from Ghana, one from saix.net, and one in the CBL).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1751 270 5489 399
Bad bounces 114 78 1521 1115

There is no particularly big source of bad HELOs this week; the top single source only made 36 attempts.

Bad bounces were sent to 83 different bad usernames this week, with the most popular one being Harjas_Muthukumar with 15 attempts, followed by ToddWolseley with 7 attempts and the now-familiar SHOUGEE with 4 attempts. Other representative bad usernames include natukida, tuncer784, zddzqdekcztiu, and mari-tachi, along with a number of ex-users; the leading form seems to be the FirstLast one.

The leading single source of bad bounces this week is actually a German site, but ezweb.ne.jp and softbank.ne.jp are up near the top plugging away. Google seems to have given us a miss this week, although various .edu sites that should really know better made up for them. My pick for the most amusingly named source this week is xmldove.fastfreenet.com, a name that puts all sorts of amusing and peculiar images into my head.

spam/SpamSummary-2007-10-06 written at 23:45:41;


Page tools: See As Normal.
Search:
Login: Password:

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.