Weekly spam summary on January 28th, 2006
Another week, another set of cruddy Hotmail spam numbers. Let's see how bad things are this week:
- here's a new one: no email accepted from Hotmail this week.
- 216 messages rejected because they came from non-Hotmail email addresses.
- 107 messages sent to our spamtraps.
- 20 messages refused because their sender addresses had already hit our spamtraps.
- 6 messages refused due to their origin IP address (three for being from SAIX, two for being on the SBL, and one for being from Gilat-Satcom).
Apart from accepting no email, this is actually somewhat low for Hotmail. Still, it does mean they are batting 349 to nothing this week, which is not exactly a good performance.
As for the other numbers, this week we received 12,595 email messages from 210 different IP addresses. Our SMTP server handled 17,443 sessions from 953 different IP addresses. All of this is about the same as last week. The connection rate is down slightly: 133,000 connections from at least 51,059 different IP addresses. The simultaneous connections highwater only hit 10, down significantly from last week, and the per day numbers look like this:
Again an even week, like last week; if it's this even next week, I'll be skipping this table.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168 8693 522K 22.214.171.124 5379 246K 126.96.36.199 5294 318K 188.8.131.52 5264 246K 184.108.40.206/10 4616 231K 220.127.116.11/24 4369 218K 18.104.22.168 3204 154K 22.214.171.124 3073 169K 126.96.36.199/11 2477 124K 188.8.131.52 2451 147K
Chinese networks are slightly less represented than last week, but the highest numbers are higher. So how did our contestants qualify?
- 184.108.40.206 reappears from all the way back in July, and was blocked for being a spammer.
- 220.127.116.11 is a centrum.cz machine
that's still getting rejected for being in
dnsbl.njabl.org. I may just permanently list their /24 at this rate.
- 18.104.22.168 is a swbell.net DSL line, plus they're listed in both
- 22.214.171.124 and 126.96.36.199 gave us too many bad
- 188.8.131.52 sent email to spamtraps and then kept trying to deliver more email from the same user.
Connection time rejection stats:
26698 total 13751 dynamic IP 9086 bad or no reverse DNS 2760 class bl-cbl 194 class bl-ordb 119 class bl-spews 113 class bl-sbl 112 class bl-njabl 109 class bl-sdul 89 class bl-dsbl 13 class bl-opm
Several dialup machines were quite active in connection attempts, the
top one being 184.108.40.206 at 281 attempts before it gave up. 16 of
the top 30 source IPs were in the CBL, none in the SBL, and 9 are
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
HELOs are not as bad it looks; the total number of sources is
down, 68% come from just two IPs: 220.127.116.11 (214 bad
18.104.22.168 (97). Unfortunately there is no good news with the bad
bounces, so it looks like spammers are starting to forge our domains
Oh well, it was a nice dream while it lasted.
Sidebar: the interesting case of 22.214.171.124
126.96.36.199 is an interesting case. Unfortunately I don't know what it was listed for in July, but this time around it got in by being 'host.tucksprofessionalservices.com', which is either a spammer for hire or 'Trueman Tuck', a spamming 'Legal & Political Activist' whose domains include 'taxtyranny.ca'. Or possibly both. Apparent it has kept trying hard to deliver that spam this week.
Our records say that the 'email@example.com' origin email address first hit our spamtraps on October 24th, 2005, from the same IP address, so evidently the spam has been flowing for some time. I suspect that it was blasted out fairly widely (widely enough that we captured a full copy in email elsewhere) this time due to the Canadian federal election on January 23rd. The copy we captured arrived January 22nd and claimed to have been sent late on Friday the 20th, just barely in time to be a last minute political blitz.
(The content was the kind of far out there political ranting that makes my eyes bleed enough that I didn't try to read very much of it.)
All of the websites this person seems to operate are hosted out of more Alabanza IP address space at (more or less roughly) 188.8.131.52/27. Since it's Alabanza and a spammer, I've now blocked the entire /24.
(Complain to Alabanza? Are you kidding? I have far more productive things to do with my time.)