Weekly spam summary on September 10th, 2005

September 11, 2005

Overall connections are up from last week: 239,000 SMTP connections from 39,000 different IP addresses. The SMTP frontend's highwater mark is up again, hitting 29 simultaneous connections.

Top 10 kernel level SMTP rejections:

Host/Mask           Packets   Bytes          13913    638K          13025    625K       8955    448K         7584    364K          6232    313K          5927    356K        5530    256K           5461    328K          5279    253K          5153    309K turns out to be a mistake, due to an old listing for Broadwing dialup/dynamic address space that is clearly no longer valid. We probably have other now-invalid rejection rules, but they're hard to find and I don't have enough time and energy to systematically recheck things.

(Much of our dynamic IP address blocking is based on hostname patterns, which is hopefully less prone to rotting over time.)

Of the rest:

  •, mx.terra.es, is a frequent top-10 listing; it was blocked for its usual rapid spew of invalid HELO names.
  •, netfence.spss.com, is also a repeat offender for bad HELO names.
  • is Netvigator's mail servers, which we haven't been willing to talk to for years anyways.
  •, mail1002.centrum.cz, appeared before in IPReject-2005-06-18. They're still in dnsbl.njabl.org, and checking their listing I see they've been there since May 26th, 2005, due to spewing out advance fee fraud spam. We have had all centrum.cz mail machines banned from our mailer for some time for the same reason.

Connection-time rejection stats:

  27106 total
  12298 dynamic IP
   8595 bad or no reverse DNS
   1783 class bl-cbl
   1563 class bl-sbl
   1068 class bl-spews
    581 class bl-dsbl
    300 class bl-ordb
    188 class bl-njabl
     69 class bl-sdul
     11 class bl-opm

The big jump in SBL hits is due to 1,131 hits from SBL20671, the ROKSO listing for, 'OC3 Networks - Ilan Mishan'. In turn this was all due to, a subnet that is full of IP addresses with reverse DNS to hostnames of the form '{crv,crve}.????.com'. The four characters in the domain name are usually letters, but I've seen some use of numbers and '-'.

To break up the monotony, the spammer threw in marketing-miracles.com, greatdealsforme.com (a more honest spammer domain name than usual), mylinemarketing.com, and marketingwarpspeed.com. They, and all the funny domains, all seem to be registered to the same organization, allegedly

Elbicho Ltd
Limited Elbicho
26 fremantle Court
Harbour Views, Gibraltar n/a

(Sometimes 'Elbicho Limited'.)

I can only hope that the spammer is paying real money for that parade of domain names. (Probably not, though. Although they seem to have been registered back in May, so hopefully the registrar will have gotten some actual money from the spammer.)

In SPEWS news, mail.uk.tiscali.com keeps showing up (although not high in the league tables). This is probably because they are a prolific advance fee fraud spam source, although they may protest otherwise (there was a recent thread on news.admin.net-abuse.email claiming reform, which various people laughed at).

The usual eyeball scan shows bad HELOs and bounces to nonexistent local addresses down somewhat over last week.

And that concludes tonight's presentation of The Week In Spam.

Written on 11 September 2005.
« Comment spam writ large
The annoyance of arbitrary limits »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Sep 11 02:14:26 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.