Weekly spam summary on June 17th, 2006
This week, we:
- got 12,612 messages from 249 different IP addresses.
- handled 17,714 sessions from 803 different IP addresses.
- received 245,591 connections from at least 48,624 different IP addresses.
- hit a highwater of 8 connections being checked at once.
Connection volume is up substantially from last week, although nothing else seems to be up much (especially the highwater). The per day table:
In other words, we did about half this week's connection volume today. That would be yet another spam storm in progress.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52 18790 927K 184.108.40.206 13568 669K 220.127.116.11 12171 619K 18.104.22.168 11162 551K 22.214.171.124 7360 363K 126.96.36.199 6693 330K 188.8.131.52/10 6003 303K 184.108.40.206/11 4885 242K 220.127.116.11 4765 286K 18.104.22.168 4667 230K
This is well up from last week, especially at the quite aggressive top end; it's been quite a while since we had a week with that many IP addresses sending us over 10,000 fruitless packets.
- 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, and
220.127.116.11 were all sources of phish spam that hit our spamtraps
(I can tell from the
MAIL FROMaddresses). (Two actually made our lists back in May.)
- 18.104.22.168 hit our spamtraps and kept on sending madly, but I'm not sure whether it was phish spam or regular spam.
- 22.214.171.124 reappears from last week, still with bad reverse DNS.
- 126.96.36.199 is a Chilean IP address with bad reverse DNS, probably part of vtr.net.
Clearly this is the week of phish spam. Somewhat to my surprise the
prolific sending boxes are not Windows machines; they all seem to be
running Sendmail or Postfix, likely on Unix. I'm disappointed that so
many Unix boxes seem to be getting hijacked by the phish spammers. (All
of these machines got rejected with
MAIL FROMs that were clearly set
by the spammers to look more authentic, so I don't think this is just
the usual case of a 'send mail to people' CGI-BIN getting abused.)
Connection time rejection stats:
46264 total 21356 bad or no reverse DNS 21158 dynamic IP 2284 class bl-cbl 255 class bl-dsbl 203 class bl-sdul 67 class bl-njabl 44 class bl-spews 31 class bl-ordb 29 class bl-sbl
The usual suspects are up substantially from last week. This week was also the week of really aggressive connection attempts; three IP addresses were rejected more than a thousand times. The top five are:
1713 188.8.131.52 1162 184.108.40.206 1161 220.127.116.11 433 18.104.22.168 172 22.214.171.124
Of the 30 most rejected IP addresses, 29 were rejected more than
100 times. 25 are currently in the CBL, 14 are currently in
bl.spamcop.net, and 126.96.36.199 is in SBL42856 as
being under the control of the ROKSO-listed Mailtrain
(it's also in the CBL, so it's probably a compromised machine).
Hotmail's numbers for this week:
- 2 messages accepted.
- 4 messages rejected because they came from non-Hotmail email addresses (all from other Hotmail properties).
- 10 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- 1 message refused due to its origin IP address being in the SBL (188.8.131.52, in two SBL listings: SBL31791 and SBL35001, both of which date from late 2005, both of which are listed for advance fee fraud spam sent through Hotmail).
These numbers are a disappointment, although they're not catastrophic. I am particularly irked by Hotmail's willingness to continue to accept email from places that have spammed through it before.
And the final set of numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
We had two bounces to the 38-character hex string from before, but also another bounce to a new 38-character
8B407639D45C5742ADD3987F7E013C41288C3A (which I am about
to become the only Google hit for, just like with the other one). The
most prolific bad bounce destination this week was
by a bunch of old usernames, some garbage alphanumeric sequences, and
one bounce to an all-digit username.