== Weekly spam summary on February 18th, 2006 Now that I've [[automated ../sysadmin/AutomationPromotesAction]] almost all of the Hotmail spam report, of course it turns out we've had a quiet week, even more so than [[last week SpamSummary-2006-02-11]]: * no messages accepted. * 22 messages rejected because they came from non-Hotmail email addresses. * 54 messages sent to our spamtraps. * 13 messages refused because their sender addresses had already hit our spamtraps. * 5 messages refused due to their origin IP address (one in the SBL, one in the CBL, one from Nigeria, one from Gilat-Satcom, and one from SAIX). All of these are down from [[last week]], although not always by huge amounts. Hopefully this will continue, although I note that for all the low numbers Hotmail is *still* batting 94 to nothing this week. And insisting that people jump through hoops to report Hotmail spam. The basic stats: * got 13,656 messages from 222 different IP addresses. * handled 25,483 sessions from 2,261 different IP addresses. * received 156,390 connections from at least 50,712 different IP addresses. * a highwater of 27 connections being checked at once. Everything is slightly down from [[last week]] except for the number of different IP addresses doing SMTP sessions. The per day table is slightly interesting this week: | Day | Connections | different IPs | Sunday | 23,590 | +7,935 | Monday | 22,349 | +8,156 | Tuesday | 24,991 | +7,396 | Wednesday | 26,030 | +7,478 | Thursday | 22,129 | +7,239 | Friday | 21,328 | +7,187 | Saturday | 15,973 | +5,321 Someday, someone is going to do a fascinating article on what days spammers prefer for their spam runs, and why. Have the spammers done 'market research' on what days get the best results, for example? Kernel level packet filtering top ten: Host/Mask Packets Bytes 69.90.73.20 5785 347K 212.216.176.0/24 4821 237K 61.128.0.0/10 3479 181K 219.128.0.0/12 2635 138K 80.128.0.0/12 2409 139K 220.160.0.0/11 2234 114K 69.223.241.2 2178 111K 24.147.105.129 2097 101K 221.216.0.0/13 2073 105K 218.0.0.0/11 2004 102K This is a slow week for individual IP addresses; only *three* made it into the top ten. 24.147.105.129 reappears from [[last October SpamSummary-2005-10-08]], because it is still listed in SPEWS. 69.90.73.20 and 69.223.241.2 both got blocked for lots of unresolvable _HELO_s. The 80.128.0.0/12 area belongs to Deutsche Telekom and made the list [[last December SpamSummary-2005-12-10]]; I've seen nothing since then that makes me reconsider our permanent blocks. All the other netblocks listed belong to various Chinese networks. Connection time rejection stats: 26730 total 13007 dynamic IP 8886 bad or no reverse DNS 3056 class bl-cbl 488 class bl-spews 319 class bl-ordb 232 class bl-dsbl 125 class bl-sbl 53 class bl-sdul 48 class bl-njabl 4 class bl-opm Somewhat down from [[last week]], and much more evenly distributed among different IP addresses; only 4 IP addresses were refused 100 times or more, and the winner (218.210.168.102, a Taiwanese IP address blocked for bad reverse DNS) only managed 135 times. Six of the 30 most refused IPs are in the [[CBL http://cbl.abuseat.org/]] and five are currently in _bl.spamcop.net_; none are in the [[SBL http://www.spamhaus.org]] this week. Interestingly, exactly 100 refused IPs are in the SBL at the moment, in 62 different SBL listings. Here's the top hits: | # of different IPs | SBL listing | listed: | who/what | 8 | [[SBL22806|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL22806]] | 19-Feb-2006 | de.clara.net advance fee fraud | 7 | [[SBL37830|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL37830]] | 12-Feb-2006 | Philippines based spammer hosting | 7 | [[SBL35573|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL35573]] | ~~09-Dec-2005~~ | CNCGROUP Beijing | 5 | [[SBL37409|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL37409]] | 07-Feb-2006 | Japanese spam source | 4 | [[SBL35873|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL35873]] | ~~16-Dec-2005~~ | mailyes.net, Korean spam source (under bora.net) | 4 | [[SBL19307|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL19307]] | ~~28-Aug-2005~~ | a /16 listing for a Chinese spam injection network | 3 | [[SBL37888|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL37888]] | 14-Feb-2006 | Korean spam sources (dacom.net) | 3 | [[SBL37860|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL37860]] | 13-Feb-2006 | 'Clear Reach Networks' spam network (SAVVIS) | 3 | [[SBL37388|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL37388]] | 28-Jan-2006 | Ephedra spammers, 'Plumtree Solutions' (UUNet) I find it heartening that none of these are ROKSO-listed spammers, and most of the listings are less than a month old (and that the oldest only dates to August 2005). Unfortunately, SpamHaus doesn't make their listings really easily queryable, so I can't report what the oldest SBL listing to hit us this week is. | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 6167 | 364 | 8423 | 248 | Bad bounces | 1994 | 1031 | 815 | 558 Spammers are clearly still forging us and there's a lot of quite active mail servers with unresolvable _HELO_ names, although only nine tried 100 times or more. The standout winner for 'most backscatter' goes to 66.83.181.196 (349 hits), followed by 69.37.62.196 (199 hits) and 67.107.40.2 (111 hits). Backscatter is one of those things that makes me grind my teeth, given that we're forged so often by spammers.