Weekly spam summary on June 24th, 2006

June 25, 2006

This week, we:

  • got 13,681 messages from 253 different IP addresses.
  • handled 18,870 sessions from 835 different IP addresses.
  • received 303,478 connections from at least 47,309 different IP addresses.
  • hit a highwater of 7 connections being checked at once.

Connection volume is majorly up from last week; other numbers are up slightly, except the highwater (which is down). The per day table:

Day Connections different IPs
Sunday 63,522 +7,971
Monday 143,435 +6,640
Tuesday 21,068 +6,387
Wednesday 21,889 +7,733
Thursday 21,137 +6,998
Friday 17,960 +6,695
Saturday 14,467 +4,885

The spam storm from last Saturday evidently continued through Sunday and Monday, although apparently not from all that many IP addresses.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
204.202.15.180        11580    571K
199.239.233.177        8647    427K
198.66.222.20          8280    408K
61.128.0.0/10          5559    277K
218.0.0.0/11           5172    257K
212.216.176.0/24       4954    249K
204.202.9.161          4556    225K
70.229.186.3           4259    199K
220.160.0.0/11         3687    182K
219.128.0.0/12         2823    140K

This is down from the levels of last week, especially at the top of the table.

  • 204.202.15.180, 199.239.233.177, 198.66.222.20, and 204.202.9.161 all reappear from last week, and again got blocked for keeping trying to send us stuff that had already hit our spamtraps.
  • 70.229.186.3 is an Ameritech ADSL customer who appears to be running a Microsoft mailer with an internal hostname that wouldn't have gotten past our HELO name checks anyways.

Connection time rejection stats:

  34428 total
  16667 bad or no reverse DNS
  14647 dynamic IP
   1785 class bl-cbl
    162 class bl-dsbl
    147 class bl-spews
    135 class bl-sbl
    124 class bl-njabl
     70 class bl-sdul
     36 class bl-ordb

Given the connection volume jump this week, it's surprising that all of these stats are lower than last week. I can only guess that a lot of IP addresses didn't make it through our greylisting or something.

Twelve of the top 30 most rejected IP addresses were rejected more than 100 times, but only one (218.254.82.97, at 1210 rejections) hit the heights of activity seen last week. 22 are currently in the CBL, 7 are currently in bl.spamcop.net, and one is in the SBL.

Of course the one listing is 222.252.173.9, part of SBL39408, which is a /15 listing for a major Vietnamese network area that is apparently full of spam sources and has been listed since April 10th. (It came up here back in May.)

Out of curiosity I looked at the most 'popular' SBL listings:

rejections SBL listing since when why
74 SBL38558 02-Mar-2006 datanetmedia.com / prospermedia.com (QWest)
25 SBL42599 28-May-2006 random spammer in HE.NET
9 SBL41338 04-May-2006 Russian spam source (okclub.org)
9 SBL41015 27-Apr-2006 phish source
6 SBL43251 10-Jun-2006 spam haven in HE.NET

I have to say that this doesn't look too good for HE.NET. Or QWest. It's kind of sad that some of our most active SBL-rejected spam sources are in the United States, connected by major ISPs.

Hotmail is looking better this week:

  • no messages accepted.
  • 1 message rejected because it came from a non-Hotmail email address.
  • 7 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • no messages refused due to their origin IP address

And the closing numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 420 48 375 54
Bad bounces 18 17 25 13

The most prolific source of bad HELO names this week was 68.88.211.161 (claiming to be 'maplehill.MHCM.local'), which failed to take the hint 139 times; unfortunately this is common behavior for the Microsoft mailer that it seems to run.

We saw bad bounces to both 38-character hex strings from before, as well as to the usual suspects: plausible real users (including 'webmaster' and 'noreply'), a random alphanumeric string, and three all-numeric usernames.

Written on 25 June 2006.
« A problem with signals in Python
WSGI versus asynchronous servers »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jun 25 01:19:10 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.