Weekly spam summary on March 25th, 2006

March 26, 2006

The basic volume numbers for this week are that we:

  • got 19,744 messages from 236 different IP addresses.
  • handled 19,083 sessions from 955 different IP addresses.
  • received 139,156 connections from at least 43,459 different IP addresses.
  • hit a highwater of 31 connections being checked at once.

We got more emails this week than usual mostly because of a small mail loop explosion during the week that added several thousand extra to the usual tally. The connection count is down significantly from last week, but the other numbers are up somewhat. The per-day stats:

Day Connections different IPs
Sunday 18,441 +7,756
Monday 19,816 +6,230
Tuesday 19,491 +6,967
Wednesday 16,904 +5,805
Thursday 18,857 +6,084
Friday 22,209 +6,490
Saturday 23,438 +4,127

I suspect that a spammer has started up a significant spam run on Friday, partly from other evidence (like spam that has gotten through to me).

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24       5646    283K
193.70.192.0/24        5094    230K
69.105.51.114          4623    216K
61.128.0.0/10          2728    137K
82.107.127.75          2111    116K
221.216.0.0/13         2090   99940
218.0.0.0/11           1991    101K
209.11.164.45          1764   86992
220.160.0.0/11         1599   81308
83.19.244.178          1580   94800

This is down overall from last week, mirroring the connection numbers. The top two /24 subnets are tin.it's and libero.it's (aka iol.it these days, apparently) outgoing mailer subnets; of the rest:

  • 69.105.51.114 keeps turning up like bad penny, most recently the week before last. Despite that, I'm honestly not sure what we blocked it for this week. (For what it's worth, it's in bl.spamcop.net right now.)
  • 82.107.127.75 returns from last week.
  • 209.11.164.45 is part of Digital Impact, which we haven't talked to for years.
  • 83.19.244.178 seems to be a tpnet.pl 'dialup' customer machine; pass.

Connection time rejection stats:

  28919 total
  15451 dynamic IP
   8976 bad or no reverse DNS
   2973 class bl-cbl
    254 class bl-dsbl
    213 class bl-ordb
    142 class bl-sdul
    134 class bl-spews
    125 fairgamemail.us 209.124.72.0/24
    116 SKYLIST INC 69.56.0.0/18
     66 class bl-sbl
     38 class bl-njabl
     18 class bl-opm

Good old Skylist, still banging on the door despite not having had any success for weeks. I blocked the fairgamemail.us people by hand a while back, but they're also in the SBL as SBL39311; see also the fairgamemail.us ROKSO index and the fairgamemail.us ROKSO listing.

This was a slow week for the top 30 most refused IP addresses, with only two over 100 rejections (59.113.140.84, at 106, and 218.210.168.102 at 104). Ten of the top 30 are currently in the CBL, three are currently in bl.spamcop.net, and two are in the SBL:

  • 69.56.11.149 is 'SilverCarrot' aka 'Recipe4Living' aka 'milesource-mail.com', listed in both SBL36447 and SBL39201. They're part of the SKYLIST 69.56.0.0/18 subnet that we already block, but now they have their own entry.
  • 219.238.168.124 is an random Chinese spam source (with no reverse DNS, why am I not surprised?) that is SBL39201.

Other numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 714 68 782 85
Bad bounces 108 85 118 101

As you can see, this hardly budged from last week.

And finally the Hotmail numbers:

  • 5 messages accepted but unfortunately four of these were almost certainly spam, since they came from users like wins_lot06@sympatico.ca.
  • 4 messages rejected because they came from non-Hotmail email addresses.
  • 35 messages sent to our spamtraps.
  • 19 messages refused because their sender addresses had already hit our spamtraps.
  • No messages refused due to their origin IP address.

I am not enthused that Hotmail seems to be having a serious spam problem with sympatico.ca email addresses. Hopefully this is temporary. (Yes, I am an optimist.)

Update: I made a mistake when putting the numbers together; it turns out there were actually 11 messages refused due to their origin IP address. See HotmailStatsRevised for more details.

Written on 26 March 2006.
« A little gotcha with os.path.join
A helpful Apache safety tip »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Mar 26 03:13:48 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.