Weekly spam summary on December 24th, 2005

December 25, 2005

Merry Christmas and happy holidays to all, and to the spammers a lump of coal since they do not seem to be taking time off at all.

This week we received 14,342 email messages from 206 different IP addresses. Our SMTP server handled 74,689 sessions from 6,178 different IP addresses. Received email is down from last week, which is no surprise since the university knocked off for Christmas holidays on Wednesday, but session volume is way up.

Connection volume is up too: 262,200 connections from at least 44,100 different IP addresses. Interestingly, total IP addresses aren't up all that much from last week. Broken down by days:

Day Connections different IPs
Sunday 22,860 +7,080
Monday 21,190 +6,460
Tuesday 20,760 +6,060
Wednesday 21,370 +6,430
Thursday 21,900 +5,840
Friday 47,000 +6,600
Saturday 107,110 +5,640

Apparently spammers get a real 'bah humbug', given the explosion in connections on Friday and especially Saturday, Christmas Eve.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          37005   2220K             6782    303K           6153    313K         5205    259K           4552    213K           4264    196K          4037    189K           3996    226K           3965    185K        3676    169K

It's rare that all of the top ten are individual IP addresses, which goes to show how active the spam has been recently.

  • is a fastweb.it machine; we don't talk to them due to previous spam problems.
  • Reappearing from before are,, and
  • and used bad HELO names a lot.
  • is on the CBL; from its hostname, it may be a NAT machine.
  • and are both end-user machines, one a DSL line and one a cablemodem.
  • is in SPEWS due to UUNet's habit of continuing to take money from Eric Reinertsen.

Connection time rejection stats:

  31796 total
  16883 dynamic IP
   7385 bad or no reverse DNS
   3344 class bl-cbl
   1749 class bl-spews
    586 class bl-dsbl
    460 class bl-ordb
    435 class bl-sbl
    265 class bl-sdul
     28 class bl-opm
     20 class bl-njabl

SPEWS has jumped a lot from last week, but everyone else seems to have held more or less to par. There are a number of pretty active sources, but no one over 277 connection rejections.

The other numbers are eye-opening:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 36014 888 2088 169
Bad bounces 15449 3456 2754 738

This has been a catastrophic week for bad HELO names and for bounces. sent us over 1600 bad HELO names before getting blocked, and there are a lot of people in the several hundred range. (Partly this may be because we have been blocking people less often.)

Bad bounces are not quite so voluminous, but all sorts of people upended hundreds on us, including AOL. The most active is, with 330 sessions. It seems clear that spammers have started forging our domains in their spam runs once again.

The Hotmail numbers are their usual dismal levels:

  • 3 email messages accepted; at least one was likely spam.
  • 250 messages rejected because they came from non-Hotmail email addresses.
  • 71 messages sent to our spamtraps.
  • 13 messages refused because their sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (three for being in the SBL, one for being in the CBL, and one from Benin).

(This is a little bit lower than last week, so maybe some Hotmail spammers are taking time off.)

Written on 25 December 2005.
« When comment spammers attack
Thinking about a closure confusion »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Dec 25 00:53:07 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.