Weekly spam summary on October 13th, 2007
This week, we:
- got 11,905 messages from 252 different IP addresses.
- handled 27,710 sessions from 2,367 different IP addresses.
- received 342,122 connections from at least 124,401 different IP addresses.
- hit a highwater of 36 connections being checked at once.
Connection volume seems up a bit from last week, although it's hard to be entirely sure. Session volume is definitely up, pretty much to the level it was two weeks ago.
It's interesting that this seems to vary all over the map from day to day, and it amuses me that Wednesday, for long the most active day, is the least active day this week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52/24 22255 1335K onet.pl 184.108.40.206/26 14924 819K otcpicknews.com 220.127.116.11/23 12994 631K cox.net 18.104.22.168 10710 571K 22.214.171.124/11 8620 419K CHINANET 126.96.36.199/24 8496 400K coxmail.net 188.8.131.52/24 6321 405K comcast.net 184.108.40.206/24 6146 393K comcast.net 220.127.116.11/24 5579 335K centrum.cz 18.104.22.168 5141 282K
Volume is down a bit from last week, but not really significantly, and once again almost of the top 10 is netblocks.
- 22.214.171.124 kept trying with bad
HELOs; we saw it before in August.
- 126.96.36.199 kept trying to send us mail with an origin address that had already tripped our spamtraps.
Connection time rejection stats:
111794 total 54499 bad or no reverse DNS 47536 dynamic IP 5567 class bl-cbl 973 class bl-pbl 458 class bl-dsbl 317 qsnews.net 296 class bl-sbl 280 class bl-sdul 149 class bl-njabl 129 dartmail.net 125 acceleratebiz.com
The highst source of SBL rejections this week is SBL56712 with 94 rejections (a /28 listed as a spam source for power-cl1cks.com, listed in July), followed by SBL59518 with 79 rejections (a /24 also for 'power-cl1cks2.com'), and SBL58952 with 33 rejections (a /27 from September, 'spwu10.net'). I've seen other spwu10.net machines crop up from 188.8.131.52/22, so I think it and them are going into our overall blocklists.
(A modest suggestion to people: do not give your domains sequence numbers. It does not really look good.)
Eight of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 184.108.40.206 (1,259 rejections), followed by 220.127.116.11 (388 rejections). Oddly enough, none of the top 30 appear to be showing up on any of the popular DNS blocklists this week; this seems implausible, which means that something is broken somewhere.
(Locally, 16 were rejected for being dynamic IP addresses, 11 for having bad or missing reverse DNS, 2 for being qsnews.net, and 1 for being qsc.de.)
This week, Hotmail had:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 49 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 4 messages refused due to their origin IP address (one in the CBL, one from Nigeria, one from Ghana, and one from saix.net aka telkom.co.za).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading source of bad
HELOs this week was 18.104.22.168
(243 attempts), followed by 22.214.171.124 (123 attempts), and
126.96.36.199 (91 attempts). There are a lot of people with relatively
high counts (above 50 attempts), which is not really surprising given
Bad bounces were sent to 650 different bad usernames this week, with the
most popular one being
Jayce_Pirani with 5 attempts, followed by
HoratioClemens with 4 attempts and
MaxwellFocke and last week's
SHOUGEE with 3 attempts each. There was one attempt to the
all-number bad username
405 and one to
"Gresham," (sic), and some
to ex-users, but with 650 of them I'm not going to study them carefully
enough to draw real conclusions.