2007-10-13
Weekly spam summary on October 13th, 2007
This week, we:
- got 11,905 messages from 252 different IP addresses.
- handled 27,710 sessions from 2,367 different IP addresses.
- received 342,122 connections from at least 124,401 different IP addresses.
- hit a highwater of 36 connections being checked at once.
Connection volume seems up a bit from last week, although it's hard to be entirely sure. Session volume is definitely up, pretty much to the level it was two weeks ago.
Day | Connections | different IPs |
Sunday | 52,106 | +22,241 |
Monday | 72,645 | +27,772 |
Tuesday | 47,247 | +16,403 |
Wednesday | 33,365 | +13,620 |
Thursday | 52,521 | +21,076 |
Friday | 48,166 | +12,650 |
Saturday | 36,072 | +10,639 |
It's interesting that this seems to vary all over the map from day to day, and it amuses me that Wednesday, for long the most active day, is the least active day this week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 213.180.130.0/24 22255 1335K onet.pl 72.249.13.64/26 14924 819K otcpicknews.com 68.230.240.0/23 12994 631K cox.net 213.4.149.241 10710 571K 218.0.0.0/11 8620 419K CHINANET 68.99.120.0/24 8496 400K coxmail.net 204.127.225.0/24 6321 405K comcast.net 206.18.177.0/24 6146 393K comcast.net 213.29.7.0/24 5579 335K centrum.cz 209.51.135.180 5141 282K
Volume is down a bit from last week, but not really significantly, and once again almost of the top 10 is netblocks.
- 213.4.149.241 kept trying with bad
HELO
s; we saw it before in August. - 209.51.135.180 kept trying to send us mail with an origin address that had already tripped our spamtraps.
Connection time rejection stats:
111794 total 54499 bad or no reverse DNS 47536 dynamic IP 5567 class bl-cbl 973 class bl-pbl 458 class bl-dsbl 317 qsnews.net 296 class bl-sbl 280 class bl-sdul 149 class bl-njabl 129 dartmail.net 125 acceleratebiz.com
The highst source of SBL rejections this week is SBL56712 with 94 rejections (a /28 listed as a spam source for power-cl1cks.com, listed in July), followed by SBL59518 with 79 rejections (a /24 also for 'power-cl1cks2.com'), and SBL58952 with 33 rejections (a /27 from September, 'spwu10.net'). I've seen other spwu10.net machines crop up from 74.223.112.0/22, so I think it and them are going into our overall blocklists.
(A modest suggestion to people: do not give your domains sequence numbers. It does not really look good.)
Eight of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 200.186.145.197 (1,259 rejections), followed by 200.177.119.109 (388 rejections). Oddly enough, none of the top 30 appear to be showing up on any of the popular DNS blocklists this week; this seems implausible, which means that something is broken somewhere.
(Locally, 16 were rejected for being dynamic IP addresses, 11 for having bad or missing reverse DNS, 2 for being qsnews.net, and 1 for being qsc.de.)
This week, Hotmail had:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 49 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 4 messages refused due to their origin IP address (one in the CBL, one from Nigeria, one from Ghana, and one from saix.net aka telkom.co.za).
And the final numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
6739 | 363 | 1751 | 270 |
Bad bounces | 669 | 553 | 114 | 78 |
The leading source of bad HELO
s this week was 208.223.173.169
(243 attempts), followed by 202.155.205.242 (123 attempts), and
216.157.197.66 (91 attempts). There are a lot of people with relatively
high counts (above 50 attempts), which is not really surprising given
the stats.
Bad bounces were sent to 650 different bad usernames this week, with the
most popular one being Jayce_Pirani
with 5 attempts, followed by
HoratioClemens
with 4 attempts and MaxwellFocke
and last week's
winner SHOUGEE
with 3 attempts each. There was one attempt to the
all-number bad username 405
and one to "Gresham,"
(sic), and some
to ex-users, but with 650 of them I'm not going to study them carefully
enough to draw real conclusions.