Weekly spam summary on June 17th, 2006
This week, we:
- got 12,612 messages from 249 different IP addresses.
- handled 17,714 sessions from 803 different IP addresses.
- received 245,591 connections from at least 48,624 different IP addresses.
- hit a highwater of 8 connections being checked at once.
Connection volume is up substantially from last week, although nothing else seems to be up much (especially the highwater). The per day table:
In other words, we did about half this week's connection volume today. That would be yet another spam storm in progress.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 18790 927K 188.8.131.52 13568 669K 184.108.40.206 12171 619K 220.127.116.11 11162 551K 18.104.22.168 7360 363K 22.214.171.124 6693 330K 126.96.36.199/10 6003 303K 188.8.131.52/11 4885 242K 184.108.40.206 4765 286K 220.127.116.11 4667 230K
This is well up from last week, especially at the quite aggressive top end; it's been quite a while since we had a week with that many IP addresses sending us over 10,000 fruitless packets.
- 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, and
184.108.40.206 were all sources of phish spam that hit our spamtraps
(I can tell from the
MAIL FROMaddresses). (Two actually made our lists back in May.)
- 220.127.116.11 hit our spamtraps and kept on sending madly, but I'm not sure whether it was phish spam or regular spam.
- 18.104.22.168 reappears from last week, still with bad reverse DNS.
- 22.214.171.124 is a Chilean IP address with bad reverse DNS, probably part of vtr.net.
Clearly this is the week of phish spam. Somewhat to my surprise the
prolific sending boxes are not Windows machines; they all seem to be
running Sendmail or Postfix, likely on Unix. I'm disappointed that so
many Unix boxes seem to be getting hijacked by the phish spammers. (All
of these machines got rejected with
MAIL FROMs that were clearly set
by the spammers to look more authentic, so I don't think this is just
the usual case of a 'send mail to people' CGI-BIN getting abused.)
Connection time rejection stats:
46264 total 21356 bad or no reverse DNS 21158 dynamic IP 2284 class bl-cbl 255 class bl-dsbl 203 class bl-sdul 67 class bl-njabl 44 class bl-spews 31 class bl-ordb 29 class bl-sbl
The usual suspects are up substantially from last week. This week was also the week of really aggressive connection attempts; three IP addresses were rejected more than a thousand times. The top five are:
1713 126.96.36.199 1162 188.8.131.52 1161 184.108.40.206 433 220.127.116.11 172 18.104.22.168
Of the 30 most rejected IP addresses, 29 were rejected more than
100 times. 25 are currently in the CBL, 14 are currently in
bl.spamcop.net, and 22.214.171.124 is in SBL42856 as
being under the control of the ROKSO-listed Mailtrain
(it's also in the CBL, so it's probably a compromised machine).
Hotmail's numbers for this week:
- 2 messages accepted.
- 4 messages rejected because they came from non-Hotmail email addresses (all from other Hotmail properties).
- 10 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- 1 message refused due to its origin IP address being in the SBL (126.96.36.199, in two SBL listings: SBL31791 and SBL35001, both of which date from late 2005, both of which are listed for advance fee fraud spam sent through Hotmail).
These numbers are a disappointment, although they're not catastrophic. I am particularly irked by Hotmail's willingness to continue to accept email from places that have spammed through it before.
And the final set of numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
We had two bounces to the 38-character hex string from before, but also another bounce to a new 38-character
8B407639D45C5742ADD3987F7E013C41288C3A (which I am about
to become the only Google hit for, just like with the other one). The
most prolific bad bounce destination this week was
by a bunch of old usernames, some garbage alphanumeric sequences, and
one bounce to an all-digit username.