Weekly spam summary on May 6th, 2006
This week, we:
- got 11,443 messages from 213 different IP addresses.
- handled 15,802 sessions from 820 different IP addresses.
- received 219,841 connections from at least 43,156 different IP addresses.
- hit a highwater of 50 connections being checked at once, reaching it Monday.
Connection volume is up significantly from the extrapolated levels of last week. All of this is despite us being down for about half of Sunday, due to a drive failure and needing to fix it. The per day table is very interesting, though:
You can see the Sunday effects, and I have nothing to say about this Saturday except AIEEE. I rather suspect that there is a major spam storm going on at the moment.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206 6045 290K 220.127.116.11/24 5433 268K 18.104.22.168 4274 205K 22.214.171.124 3284 158K 126.96.36.199/10 2748 136K 188.8.131.52/11 2392 124K 184.108.40.206 2241 108K 220.127.116.11 2193 105K 18.104.22.168 2166 110K 22.214.171.124/11 2045 104K
It's pretty much the week of DNS blocklists:
- 126.96.36.199 is a Hong Kong IP address with bad reverse DNS.
- 188.8.131.52 is in the DSBL.
- 184.108.40.206 and 220.127.116.11 are in the ORDB.
- 18.104.22.168 is in NJABL.
- 22.214.171.124 kept hammering on us after attempting delivery to
a spamtrap; I suspect it's phish spam from the
(The usual difference is that advance fee fraud spam exploits badly
administered webmail systems and so has
addresses that look like individual user names, whereas phish spam
exploits insecure web servers and thus has
MAIL FROM addresses with
test, and so on.)
Connection time rejection stats:
41638 total 19232 dynamic IP 18044 bad or no reverse DNS 2279 class bl-cbl 481 class bl-njabl 409 class bl-ordb 255 class bl-spews 167 class bl-dsbl 48 class bl-sdul 28 class bl-sbl 3 class bl-opm
In completely unsurprising news (given the spam storm), 24 of the
top 30 most rejected IP addresses were rejected more than 100 times;
the champion was 126.96.36.199 with 259 rejected connections. 23 of
the top 30 are currently in the CBL and 13 of them are currently in
The Hotmail numbers are at pretty much an all-time low, although they still collect one black eye:
- No messages accepted.
- No messages rejected because they came from non-Hotmail email addresses.
- 3 messages sent to our spamtraps.
- No messages refused because their sender addresses had already hit our spamtraps.
- 1 message refused due to its origin IP address being in SBL17935, listed since January 17th, 2006.
Of course Hotmail is still batting zero since no real Hotmail people actually sent us email this week, but at least they're not swinging very much.
And the final set of numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
On the bad
HELOs front, the most active source was 188.8.131.52,
with 100 tries; the next was 184.108.40.206 with only 57. The bad
bounces number is completely surprising; at this level, I can actually
look at each session. While some of the bounces are to completely bogus
user names, some are to what are now spamtrap addresses here. I don't
know what this means; have spammers started mining their target lists
The user name patterns for the bad bounces:
- last week saw 4 each to
noreply, 11 more between four spamtraps, then one each to a mix of spamtraps, random sequences like
c301ymxlp, and some entirely numeric user names like
- this week saw 2 to
costauvqaagmlp, 4 to spamtraps, one to
entranceway, and one to the 38-character hex sequence
Conclusion: spammers are strange.