Weekly spam summary on June 17th, 2006

June 18, 2006

This week, we:

  • got 12,612 messages from 249 different IP addresses.
  • handled 17,714 sessions from 803 different IP addresses.
  • received 245,591 connections from at least 48,624 different IP addresses.
  • hit a highwater of 8 connections being checked at once.

Connection volume is up substantially from last week, although nothing else seems to be up much (especially the highwater). The per day table:

Day Connections different IPs
Sunday 19,554 +9,196
Monday 17,987 +7,349
Tuesday 19,967 +6,725
Wednesday 19,737 +6,848
Thursday 23,173 +7,102
Friday 21,914 +6,399
Saturday 123,259 +5,005

In other words, we did about half this week's connection volume today. That would be yet another spam storm in progress.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
204.202.15.180        18790    927K
199.239.233.177       13568    669K
220.229.62.220        12171    619K
198.66.222.14         11162    551K
204.202.9.161          7360    363K
198.66.222.20          6693    330K
61.128.0.0/10          6003    303K
218.0.0.0/11           4885    242K
200.83.2.213           4765    286K
155.212.2.42           4667    230K

This is well up from last week, especially at the quite aggressive top end; it's been quite a while since we had a week with that many IP addresses sending us over 10,000 fruitless packets.

  • 204.202.15.180, 199.239.233.177, 204.202.9.161, 198.66.222.14, and 198.66.222.20 were all sources of phish spam that hit our spamtraps (I can tell from the MAIL FROM addresses). (Two actually made our lists back in May.)
  • 155.212.2.42 hit our spamtraps and kept on sending madly, but I'm not sure whether it was phish spam or regular spam.
  • 220.229.62.220 reappears from last week, still with bad reverse DNS.
  • 200.83.2.213 is a Chilean IP address with bad reverse DNS, probably part of vtr.net.

Clearly this is the week of phish spam. Somewhat to my surprise the prolific sending boxes are not Windows machines; they all seem to be running Sendmail or Postfix, likely on Unix. I'm disappointed that so many Unix boxes seem to be getting hijacked by the phish spammers. (All of these machines got rejected with MAIL FROMs that were clearly set by the spammers to look more authentic, so I don't think this is just the usual case of a 'send mail to people' CGI-BIN getting abused.)

Connection time rejection stats:

  46264 total
  21356 bad or no reverse DNS
  21158 dynamic IP
   2284 class bl-cbl
    255 class bl-dsbl
    203 class bl-sdul
     67 class bl-njabl
     44 class bl-spews
     31 class bl-ordb
     29 class bl-sbl

The usual suspects are up substantially from last week. This week was also the week of really aggressive connection attempts; three IP addresses were rejected more than a thousand times. The top five are:

   1713 200.83.2.213
   1162 218.254.83.47
   1161 218.254.82.97
    433 211.144.69.247
    172 61.247.78.210

Of the 30 most rejected IP addresses, 29 were rejected more than 100 times. 25 are currently in the CBL, 14 are currently in bl.spamcop.net, and 211.144.69.247 is in SBL42856 as being under the control of the ROKSO-listed Mailtrain (it's also in the CBL, so it's probably a compromised machine).

Hotmail's numbers for this week:

  • 2 messages accepted.
  • 4 messages rejected because they came from non-Hotmail email addresses (all from other Hotmail properties).
  • 10 messages sent to our spamtraps.
  • 1 message refused because its sender address had already hit our spamtraps.
  • 1 message refused due to its origin IP address being in the SBL (196.3.62.3, in two SBL listings: SBL31791 and SBL35001, both of which date from late 2005, both of which are listed for advance fee fraud spam sent through Hotmail).

These numbers are a disappointment, although they're not catastrophic. I am particularly irked by Hotmail's willingness to continue to accept email from places that have spammed through it before.

And the final set of numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 375 54 727 47
Bad bounces 25 13 34 18

We had two bounces to the 38-character hex string from before, but also another bounce to a new 38-character hex string, 8B407639D45C5742ADD3987F7E013C41288C3A (which I am about to become the only Google hit for, just like with the other one). The most prolific bad bounce destination this week was noreply, followed by a bunch of old usernames, some garbage alphanumeric sequences, and one bounce to an all-digit username.

Written on 18 June 2006.
« Metrics considered dangerous
WSGI: the good and the bad »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Jun 18 02:58:48 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.