Weekly spam summary on May 27th, 2006

May 28, 2006

This week, we:

  • got 11,513 messages from 227 different IP addresses.
  • handled 18,277 sessions from 912 different IP addresses.
  • received 133,583 connections from at least 42,540 different IP addresses.
  • hit a highwater of 8 connections being checked at once.

This is about the same as last week. Tuesday, Wednesday, and Thursday were the busiest days this week for connections; I suppose that's not too surprising. (Interesting, email received peaked on Tuesday but connections peaked on Wednesday.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
218.254.83.47          9190    441K
66.58.176.187          8320    423K
199.239.233.177        8173    403K
204.202.2.104          7246    357K
198.66.222.140         5729    283K
216.59.145.150         4480    215K
61.128.0.0/10          4443    221K
213.180.130.36         4321    259K
198.187.200.0/24       3905    234K
195.34.32.101          3768    241K

Overall this is significantly up from last week, although the leader is lower this time around; maybe they've finally given up hammering on us after several weeks.

  • 218.254.83.47 and 66.58.176.187 return from last week; the former is now on the CBL, among other places.
  • 199.239.233.177, 204.202.2.104, and 198.66.222.140 all tried to shovel phish spam at us to an extent that we blocked them. Since all of them used the same MAIL FROM of 'administrative@desjardins.com', they may all be being exploited by the same spammer.
  • 216.59.145.150 is in NJABL.
  • 213.180.130.36 is a poczta.onet.pl mail sending machine; we have blocked all of poczta.onet.pl here due to advance fee fraud spam email.
  • 195.34.32.101 is in SPEWS as part of a Rostelecom listing.

Connection time rejection stats:

  37733 total
  17223 bad or no reverse DNS
  15812 dynamic IP
   2497 class bl-cbl
    560 class bl-njabl
    493 class bl-dsbl
    235 class bl-sdul
    146 class bl-spews
     79 class bl-ordb
     72 class bl-sbl

Fourteen out of the top 30 most rejected IP addresses were rejected more than 100 times; the champion is of course 218.254.83.47 (622 times before it wound up back in the kernel IP filters), with 218.62.89.61 next (265 times, for not having any reverse DNS and being in a pile of DNSBls). 19 of the top 30 are currently in the CBS, and seven are currently in bl.spamcop.net.

Hotmail has probably improved compared to last week; the numbers are:

  • 2 messages accepted.
  • 3 messages rejected because they came from non-Hotmail email addresses.
  • 5 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address being in the CBL.

This is less overall spam than last week, but a more diverse set of reasons for it being rejected.

And the last set of numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 462 64 597 48
Bad bounces 18 16 30 26

Unlike last week, there's nothing from btconnect.com; either they've stopped mailing us for now or they've fixed the problem (I know which option I'm betting on).

The most frequent target of bad bounces was the 38-digit hex string from before, at 5 bounces (all from Demon Internet machines). Apart from that it was almost all to usernames here that used to exist, apart from one to costauvqaagmlp and one to d45hvwejzd.

Written on 28 May 2006.
« Today's dilemma: wiki page or blog entry?
An obvious way to do bulk initialization of dictionaries »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun May 28 03:01:44 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.