Weekly spam summary on June 24th, 2006
This week, we:
- got 13,681 messages from 253 different IP addresses.
- handled 18,870 sessions from 835 different IP addresses.
- received 303,478 connections from at least 47,309 different IP addresses.
- hit a highwater of 7 connections being checked at once.
Connection volume is majorly up from last week; other numbers are up slightly, except the highwater (which is down). The per day table:
The spam storm from last Saturday evidently continued through Sunday and Monday, although apparently not from all that many IP addresses.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206 11580 571K 220.127.116.11 8647 427K 18.104.22.168 8280 408K 22.214.171.124/10 5559 277K 126.96.36.199/11 5172 257K 188.8.131.52/24 4954 249K 184.108.40.206 4556 225K 220.127.116.11 4259 199K 18.104.22.168/11 3687 182K 22.214.171.124/12 2823 140K
This is down from the levels of last week, especially at the top of the table.
- 126.96.36.199, 188.8.131.52, 184.108.40.206, and 220.127.116.11 all reappear from last week, and again got blocked for keeping trying to send us stuff that had already hit our spamtraps.
- 18.104.22.168 is an Ameritech ADSL customer who appears to be running
a Microsoft mailer with an internal hostname that wouldn't have gotten
HELOname checks anyways.
Connection time rejection stats:
34428 total 16667 bad or no reverse DNS 14647 dynamic IP 1785 class bl-cbl 162 class bl-dsbl 147 class bl-spews 135 class bl-sbl 124 class bl-njabl 70 class bl-sdul 36 class bl-ordb
Given the connection volume jump this week, it's surprising that all of these stats are lower than last week. I can only guess that a lot of IP addresses didn't make it through our greylisting or something.
Twelve of the top 30 most rejected IP addresses were rejected more
than 100 times, but only one (22.214.171.124, at 1210 rejections)
hit the heights of activity seen last week. 22 are currently
in the CBL, 7 are currently in
bl.spamcop.net, and one is in the
Of course the one listing is 126.96.36.199, part of SBL39408, which is a /15 listing for a major Vietnamese network area that is apparently full of spam sources and has been listed since April 10th. (It came up here back in May.)
Out of curiosity I looked at the most 'popular' SBL listings:
|rejections||SBL listing||since when||why|
|74||SBL38558||02-Mar-2006||datanetmedia.com / prospermedia.com (QWest)|
|25||SBL42599||28-May-2006||random spammer in HE.NET|
|9||SBL41338||04-May-2006||Russian spam source (okclub.org)|
|6||SBL43251||10-Jun-2006||spam haven in HE.NET|
I have to say that this doesn't look too good for HE.NET. Or QWest. It's kind of sad that some of our most active SBL-rejected spam sources are in the United States, connected by major ISPs.
Hotmail is looking better this week:
- no messages accepted.
- 1 message rejected because it came from a non-Hotmail email address.
- 7 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- no messages refused due to their origin IP address
And the closing numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The most prolific source of bad
HELO names this week was 188.8.131.52
(claiming to be 'maplehill.MHCM.local'), which failed to take the hint
139 times; unfortunately this is common behavior for the Microsoft
mailer that it seems to run.
We saw bad bounces to both 38-character hex strings from before, as well as to the usual suspects: plausible real users (including 'webmaster' and 'noreply'), a random alphanumeric string, and three all-numeric usernames.