Wandering Thoughts archives

2005-11-27

SpamSummary-2005-11-26

Weekly spam summary on November 26th, 2005

This week we received 20,583 email messages from 213 different IP addresses. Our SMTP server handled 21,213 sessions from 1,044 different IP addresses. This is a significant jump in incoming email compared to last week.

We saw a major jump in connections compared to last week: 238,300 connections from at least 32,400 different IP addresses. Broken down by day, it goes:

Day Connections different IPs
Sunday 9,130 +4,370
Monday 14,440 +5.970
Tuesday 12,490 +4,400
Wednesday 54,860 +4,660
Thursday 111,750 +4,300
Friday 22,900 +4,560
Saturday 12,730 +4,150

While Thursday is the day when we're slowest to add entries to the kernel level blocks, I don't think that's the sole explanation for the general habit of connection rates to spike then. (And they were already ramping up on Wednesday and slowly ramping down on Friday, too.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24       8102    420K
200.26.201.46          4596    221K
203.167.99.194         2930    141K
66.62.47.57            2895    174K
66.125.69.74           2597    132K
66.154.124.0/28        2395    134K
195.250.128.75         2248    114K
219.71.176.153         2230    107K
72.9.253.34            2173    130K
61.128.0.0/10          2145    113K

The kernel level hits are way down even compared to last week, with only two really active sources by our usual standards.

  • 203.167.99.194 still has no PTR record; 66.62.47.57 continues to be in SBL34212.
  • 66.125.69.74 is a PacBell DSL line
  • 219.71.176.153 is a giga.net.tw cablemodem.
  • 72.9.253.34 is a gnax.net machine that's on the CBL.
  • 200.26.201.46 fed us a bad HELO name a lot.
  • 195.250.128.75 is a vol.cz machine that was blocked for repeatedly trying to send us mail that had already tripped our spamtraps. I suspect that it is a webmail system, and we know how that story usually goes.

This continues the trend of bad HELOs being much less frequent around here. It's possible that people are actually starting to fix their mailers, although I'm not going to hold my breath.

Connection time rejection stats:

  23767 total
  14756 dynamic IP
   5535 bad or no reverse DNS
   2075 class bl-cbl
    414 class bl-sbl
    269 class bl-sdul
    237 class bl-ordb
    215 class bl-dsbl
     52 class bl-spews
     23 class bl-njabl
      2 class bl-opm

Taking pride of place and explaining some of Thursday's numbers is 61.9.145.66, a bigpond.net.au cablemodem, which tried to connect to us 7,296 times before it gave up. (It may explain some of Wednesday's numbers too, as it started that evening.)

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 682 76 3011 166
Bad bounces 190 98 387 265

These numbers have dropped to amazingly low levels. I'm going to hold my breath that this keeps up. (Although some of the bounce reduction is from spammers and viruses starting to forge things like 'hostmaster' instead of random usernames.)

And finally, we have the usual depressing Hotmail numbers:

  • ten email messages accepted.
  • 299 messages rejected because they came from non-Hotmail email addresses.
  • 26 messages refused because their sender addresses had already hit our spamtraps.
  • 9 messages refused due to their origin IP address (6 in the SBL, two from SAIX, one from Nigeria).

Ten email messages accepted from Hotmail is quite high, and it looks like a fair number of them were non-spam (and more than a few spam, unfortunately). Given the other numbers this looks less like Hotmail getting any sort of handle on their spam issue and more like some people starting to use Hotmail.

SpamSummary-2005-11-26 written at 01:16:55; Add Comment

2005-11-20

SpamSummary-2005-11-19

Weekly spam summary on November 19th, 2005

Once again, I'm leading with Hotmail's stats to highlight their spam problem:

  • three email messages accepted.
  • 320 messages refused because they came from non-Hotmail email addresses.
  • 22 messages refused because their sender addresses had already hit our spamtraps.
  • 21 messages refused due to their originating IP address (17 in the SBL, two in the CBL, one in the XBL, one because it's from Gilat-Satcom).

Gilat-Satcom is a serious problem here; it has quite a number of SBL listings for advance fee fraud spam sources (and many of them through Hotmail), yet nothing happens.

This week we received 12,759 email messages from 224 different IP addresses. Our SMTP server handled 20,329 sessions from 1,350 different IP addresses. Both of these numbers are about the same as last week.

Our connection volume is even lower than two weeks ago: 80,250 connections from at least 27,670 different IP addresses. This is probably a record low. This time around, the connection count by day numbers drop below 10,000 for Thursday onwards; I'm not going to bother with a table.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24      11402    595K
66.154.124.0/28        9758    546K
72.41.4.3              7319    439K
61.128.0.0/10          5449    272K
212.175.13.129         5020    264K
130.69.197.3           3922    235K
219.71.176.89          3452    166K
66.230.161.178         2458    147K
216.7.201.43           2302    110K
66.62.47.57            2270    136K
  • 72.41.4.3 is an opentransfer.com machine; we don't talk to them due to too much spam.
  • returning from previous listings are 130.69.197.3 (still tried to mail us with origin addresses that had tripped our spamtraps), 219.71.176.89 (still a giga.net.tw dynamic IP address), and 216.7.201.43 (bad HELO).
  • 66.62.47.57 is in SBL34212.
  • 212.175.13.129 was on the DSBL, but has been delisted during the week.
  • 66.230.161.178 kept trying to mail us with an origin address that had tripped our spamtraps.

This has clearly been a really slow week for bad HELO names.

Connection time rejection stats:

  14635 total
   7050 dynamic IP
   4316 bad or no reverse DNS
   1627 class bl-cbl
    496 class bl-sbl
    376 class bl-ordb
    197 class bl-dsbl
    153 class bl-sdul
    135 class bl-spews
     25 class bl-njabl
      2 class bl-opm

No single IP address stands out in this week's statistics.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 3011 166 3613 165
Bad bounces 387 265 774 570

Bounces are significantly down from the already low numbers for last week. Perhaps spammers have finally given up on forging us as the origin address for their spams? (A weary postmaster can dream.)

SpamSummary-2005-11-19 written at 01:59:30; Add Comment

2005-11-13

SpamSummary-2005-11-12

Weekly spam summary on November 12th, 2005

This week I'm leading with Hotmail's numbers, because they continue to be a depressing testament to Hotmail's spam problem. This week's Hotmail statistics are:

  • one email accepted, probably advance fee fraud spam from the Hotmail user name.
  • 14 Hotmail messages refused due to their originating IP addresses (4 in the SBL, 4 in the XBL, three from Nigeria, two from SAIX, and one from the Cote d'Ivoire).
  • 31 Hotmail messages refused because their sender addresses had already hit our spamtraps.
  • 251 messages from Hotmail refused because they came from non-Hotmail email addresses.

At this point it's hard to see a point to continuing to accept Hotmail's email. And it's not like Hotmail shows any signs of dealing with their problem; they've offloaded it onto the rest of us.

On to other stats. This week we received 13,175 email messages from 230 different IP addresses. Our SMTP server handled 22,087 sessions from 1,695 different IP addresses. Both of these numbers are about the same as last week.

Our connection volume is up from the depths of last week: 179,300 connections from at least 30,000 different IP addresses.

Day Connections different IPs
Sunday 10,000 4,230
Monday 12,400 +4,840
Tuesday 67,750 +4,410
Wednesday 38,000 +4,220
Thursday 14,960 +4,370
Friday 23,000 +4,450
Saturday 13,100 +3,550

Tuesday is responsible for more than a third of the connections all on its own, with a spillover into Wednesday and a bit of a spike on Wednesday. Otherwise things are pretty close to last week's daily rates.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
64.52.16.234          11730    548K
66.154.124.0/28       10428    584K
69.105.51.114          7892    369K
212.216.176.0/24       7723    386K
61.128.0.0/10          7210    351K
80.33.77.149           6128    309K
130.69.197.3           4675    281K
203.167.99.194         4410    212K
219.71.176.89          3577    172K
66.179.44.52           3286    158K

This is a skewed distribution, but not as skewed as last week.

  • 64.52.16.234, 69.105.51.114, and 66.179.44.52 continue to send us bad HELO names.
  • 203.167.99.194 is an etpi.com.ph machine with no reverse DNS.
  • 219.71.176.89 is a giga.net.tw cablemodem.
  • 80.33.77.149 and 130.69.197.3 both tripped our spamtraps and then persistently kept trying to mail us.

Connection time rejection stats:

  16386 total
   8270 dynamic IP
   4714 bad or no reverse DNS
   1407 class bl-cbl
    662 class bl-ordb
    504 class bl-sbl
    224 class bl-spews
     90 class bl-dsbl
     71 class bl-sdul
     54 class bl-njabl
      2 class bl-opm

The dynamic IP category jumped in significant part due to just one machine, 83.196.157.151 (a wanadoo.fr dialup), trying 1,796 times to connect before it got blocked harder. (And this happened on Tuesday.)

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 3613 165 1645 155
Bad bounces 774 570 1096 424

I'm not going to try to read meaning into the changed bounce count. There were definitely some quite persistent sources of bad HELO names this week.

SpamSummary-2005-11-12 written at 00:52:53; Add Comment

2005-11-06

SpamSummary-2005-11-05

Weekly spam summary on November 5th, 2005

This week we received 12,872 email messages from 229 different IP addresses. Our SMTP server handled 22,584 sessions from 1,544 different IP addresses, which is significantly down from last week.

To go with it, overall connections are down a lot from last week: we only saw 93,950 connections from at least 31,000 different IP addresses. I believe this is the lowest connection rate I've seen since I started doing weekly stats, and probably for some time before then.

Day Connections different IPs
Sunday 15,100 +4,500
Monday 15,130 +3,800
Tuesday 12,200 +4,560
Wednesday 13,600 +5,400
Thursday 13,000 +4,200
Friday 14,600 +4,350
Saturday 10,200 +4,100

Compared to two weeks ago, the per day different IP counts are somewhat but not hugely lower, while the number of connections are way, way down and very consistent. (Note that Sunday and Saturday are partial days, as usual.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
66.154.124.0/28       15309    857K
69.105.51.114         12654    592K
212.216.176.0/24      11677    605K
66.154.124.16          7166    401K
85.214.22.252          7122    342K
82.33.105.147          4513    211K
216.7.201.43           4063    195K
61.128.0.0/10          2852    144K
66.154.124.17          2336    131K
210.212.161.2          2264    109K

Again there's something odd. The usual top ten cutoff is at least 4,000 packets, but this week it's all the way down to 2,000; we simply haven't blocked very many active sources. On the other hand, there's a couple of very active sources.

  • 66.154.124.0/28, SBL24721, continues its rampage.
  • 66.154.124.16 and 66.154.124.17 are in SBL26860.
  • 85.214.22.252 reappears from last week, still on the ORDB; maybe they'll give up soon or get fixed.
  • 82.33.105.147 is a blueyonder.co.uk cablemodem.
  • 210.212.161.2 is some machine in India with no reverse DNS; we haven't talked to anything from APNIC space without reverse DNS for years. It's also on the CBL and various other DNS blocklists.
  • 216.7.201.43 reappears from here, still with a bad HELO name.
  • 69.105.51.114 is a PacBell ADSL line with a bad HELO name. (It's sometimes very tempting to block all PacBell ADSL lines, but at least some of them are statically assigned business lines. Unfortunately you can't tell which are which, since PacBell uses generic reverse DNS names.)

Connection time rejection stats:

  13876 total
   5903 dynamic IP
   4777 bad or no reverse DNS
   1730 class bl-cbl
    286 class bl-sbl
    283 class bl-spews
    222 class bl-ordb
    160 class bl-dsbl
     95 class bl-njabl
     77 class bl-sdul
      8 class bl-opm

Unsurprisingly everything has gone down compared to last week, sometimes through the floor. No single source stands out.

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1645 155 18117 922
Bad bounces 1096 424 2985 1690

Bad HELOs have dropped by a stone, although bounces are only down by 50% (from a lot fewer places, though).

Just to rain on any good news parade, Hotmail spam is up from last week:

  • three actual email messages accepted; at least one was almost certainly spam.
  • 11 Hotmail messages refused due to their originating IP addresses (8 in the SBL, one in the XBL, one from Gilat-Satcom again, one from Burkina Faso).
  • 300 messages from Hotmail refused because they came from non-Hotmail email addresses.
SpamSummary-2005-11-05 written at 02:41:14; Add Comment

(Previous month | Next month)
By day for November 2005: 6 13 20 27; before November; after November.

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.