Weekly spam summary on December 31st, 2005

January 1, 2006

This week we received 12,270 email messages from 159 different IP addresses. Our SMTP server handled 31,972 sessions from 2,643 different IP addresses. Session volume is down from last week, which is a relief, although it's not back down to the historical levels yet.

However, connection volume has not dropped substantially from last week: 260,000 connections from at least 53,760 different IP addresses, with a highwater of 12 simultaneous connections being checked. Oddly, the number of different IPs has jumped substantially. Broken down by days:

Day Connections different IPs
Sunday 69,300 +7,220
Monday 34,460 +7,900
Tuesday 33,860 +7,880
Wednesday 28,000 +8,120
Thursday 34,460 +8,290
Friday 33,630 +8,310
Saturday 26,060 +6,040

The connections per day shows the major spam overhang from last weekend, followed by a fairly constant rain of incoming connections over the rest of the week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes           19352    973K            18992    848K          7596    334K            6931    319K          6738    309K           6699    402K           6541    314K            5641    278K         5193    249K          5090    224K

The packet stats are up a fair bit from last week, with two runaway winners (although not quite at the level of last week's grand champion).

  • got blocked for sending us too much spam backscatter, and apparently kept generating it quite actively.
  • continues from last week, still using its bad HELO name.
  •,,, and all spewed bad HELO names at us.
  • and are both considered 'dialup' machines.
  • is terra.es's main outbound server and has been blocked here for ages for being an active spam source.
  • sent mail to a spamtrap and then kept trying to send more email to us with the same MAIL FROM.

Connection time rejection stats:

  46350 total
  27594 dynamic IP
  12425 bad or no reverse DNS
   4438 class bl-cbl
    527 class bl-spews
    321 class bl-dsbl
    247 class bl-sdul
    191 class bl-sbl
     97 class bl-ordb
     16 class bl-opm
      7 class bl-njabl

The CBL and generic 'dynamic/dialup' hits are up compared to last week and dominate the rejection rate, which is a strong sign that many of the connection attempts are spam delivery attempts from compromised machines. A number of IPs made hundreds of attempts to connect to us (the most active was, with 424 attempts), and of the top 30 connecting IPs, 24 of them are on the CBL.

The other numbers aren't as bad as last week, but they're still not pleasant:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 12700 578 36016 888
Bad bounces 4196 1123 15450 3456

I think that both dropping a lot show that most of this week's load is direct spam, instead of backscatter from spammers forging our domains in their MAIL FROM.

And to round out the last entry of the (nominal) year, here's the less depressing than usual Hotmail numbers:

  • five email messages accepted, at least one of which seems to have been a spam backscatter bounce.
  • 100 messages rejected because they came from non-Hotmail email addresses.
  • 36 messages sent to our spamtraps.
  • 10 messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one for being in the SBL and one from a telkom.co.za DSL line that's also on the CBL).

Apparently a number of Hotmail's spammers do take the holidays off.

Welcome to 2006. May it have less spam than 2005.

Written on 01 January 2006.
« Notes on getting a Solaris hardware inventory
Universities are peculiar places »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jan 1 01:52:20 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.