Weekly spam summary on January 28th, 2006

January 29, 2006

Another week, another set of cruddy Hotmail spam numbers. Let's see how bad things are this week:

  • here's a new one: no email accepted from Hotmail this week.
  • 216 messages rejected because they came from non-Hotmail email addresses.
  • 107 messages sent to our spamtraps.
  • 20 messages refused because their sender addresses had already hit our spamtraps.
  • 6 messages refused due to their origin IP address (three for being from SAIX, two for being on the SBL, and one for being from Gilat-Satcom).

Apart from accepting no email, this is actually somewhat low for Hotmail. Still, it does mean they are batting 349 to nothing this week, which is not exactly a good performance.

As for the other numbers, this week we received 12,595 email messages from 210 different IP addresses. Our SMTP server handled 17,443 sessions from 953 different IP addresses. All of this is about the same as last week. The connection rate is down slightly: 133,000 connections from at least 51,059 different IP addresses. The simultaneous connections highwater only hit 10, down significantly from last week, and the per day numbers look like this:

Day Connections different IPs
Sunday 18,801 +7,546
Monday 18,573 +6,820
Tuesday 21,563 +7,962
Wednesday 20,231 +8,479
Thursday 18,313 +6,810
Friday 21,467 +7,428
Saturday 14,029 +6,014

Again an even week, like last week; if it's this even next week, I'll be skipping this table.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
65.109.239.171         8693    522K
207.107.201.74         5379    246K
85.159.15.80           5294    318K
67.66.209.246          5264    246K
61.128.0.0/10          4616    231K
212.216.176.0/24       4369    218K
216.27.227.2           3204    154K
193.2.4.66             3073    169K
218.0.0.0/11           2477    124K
213.29.7.174           2451    147K

Chinese networks are slightly less represented than last week, but the highest numbers are higher. So how did our contestants qualify?

  • 65.109.239.171 reappears from all the way back in July, and was blocked for being a spammer.
  • 213.29.7.174 is a centrum.cz machine that's still getting rejected for being in dnsbl.njabl.org. I may just permanently list their /24 at this rate.
  • 67.66.209.246 is a swbell.net DSL line, plus they're listed in both dnsbl.njabl.org and relays.ordb.org. Fail.
  • 207.107.201.74 and 216.27.227.2 gave us too many bad HELO names.
  • 193.2.4.66 sent email to spamtraps and then kept trying to deliver more email from the same user.

Connection time rejection stats:

  26698 total
  13751 dynamic IP
   9086 bad or no reverse DNS
   2760 class bl-cbl
    194 class bl-ordb
    119 class bl-spews
    113 class bl-sbl
    112 class bl-njabl
    109 class bl-sdul
     89 class bl-dsbl
     13 class bl-opm

Several dialup machines were quite active in connection attempts, the top one being 24.178.115.13 at 281 attempts before it gave up. 16 of the top 30 source IPs were in the CBL, none in the SBL, and 9 are currently in bl.spamcop.net.

Other stats:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 458 37 180 41
Bad bounces 100 68 37 31

Bad HELOs are not as bad it looks; the total number of sources is down, 68% come from just two IPs: 69.30.124.210 (214 bad HELOs) and 65.242.71.66 (97). Unfortunately there is no good news with the bad bounces, so it looks like spammers are starting to forge our domains in their MAIL FROMs.

Oh well, it was a nice dream while it lasted.

Sidebar: the interesting case of 65.109.239.171

65.109.239.171 is an interesting case. Unfortunately I don't know what it was listed for in July, but this time around it got in by being 'host.tucksprofessionalservices.com', which is either a spammer for hire or 'Trueman Tuck', a spamming 'Legal & Political Activist' whose domains include 'taxtyranny.ca'. Or possibly both. Apparent it has kept trying hard to deliver that spam this week.

Our records say that the 'fairtax@host.tucksprofessionalservices.com' origin email address first hit our spamtraps on October 24th, 2005, from the same IP address, so evidently the spam has been flowing for some time. I suspect that it was blasted out fairly widely (widely enough that we captured a full copy in email elsewhere) this time due to the Canadian federal election on January 23rd. The copy we captured arrived January 22nd and claimed to have been sent late on Friday the 20th, just barely in time to be a last minute political blitz.

(The content was the kind of far out there political ranting that makes my eyes bleed enough that I didn't try to read very much of it.)

All of the websites this person seems to operate are hosted out of more Alabanza IP address space at (more or less roughly) 65.109.180.0/27. Since it's Alabanza and a spammer, I've now blocked the entire /24.

(Complain to Alabanza? Are you kidding? I have far more productive things to do with my time.)

Written on 29 January 2006.
« A bad product name
An impending Debian derailment »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Jan 29 01:51:18 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.