Weekly spam summary on July 1st, 2006
This week, we:
- got 14,343 messages from 220 different IP addresses.
- handled 18,078 sessions from 864 different IP addresses.
- received 140,437 connections from at least 48,849 different IP addresses.
- hit a highwater of 50 connections being checked at once (hit on Tuesday).
Unlike last week, we don't seem to have been hit with any particular spam fireworks for this Canada Day; volume is down, although not quite reaching what I consider an ordinary baseline these days. Per day:
Day | Connections | different IPs |
Sunday | 20,286 | +8,834 |
Monday | 26,389 | +9,037 |
Tuesday | 26,853 | +9,416 |
Wednesday | 17,032 | +5,459 |
Thursday | 20,850 | +6,415 |
Friday | 17,985 | +6,091 |
Saturday | 11,042 | +3,597 |
People clearly poked us more than usual on Monday and Tuesday.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 204.202.15.55 38386 1894K 204.202.252.105 12076 596K 213.4.149.12 9045 470K 218.0.0.0/11 7052 349K 218.254.82.97 6696 321K 204.202.22.191 6303 311K 61.128.0.0/10 6228 315K 212.216.176.0/24 5260 268K 199.239.233.177 4972 245K 220.160.0.0/11 4250 215K
I believe we have a new champion for persistence here, and things are overall up from last week.
- 204.202.15.55, 204.202.252.105, and 204.202.22.191 tried to send us phish spam. Evidently a lot of phish spam.
- 199.239.233.177 returns from last week, still shoveling the phish spam at us.
- 213.4.149.12 is a
terra.es
machine with a badHELO
name. terra.es used to make these summaries on a regular basis (most recently here), but hasn't popped up in a while. - 218.254.82.97 returns from last week, still a hkcable.com.hk cablemodem.
Given this pattern, I have to wonder if some phish spammer is doing a mass scan of 204.202/16 looking for vulnerable systems to exploit. All three machines appear to be running 'Sendmail 8.13.6.20060614/8.13.1' on FreeBSD/i386 (and all three have telnet open).
Connection time rejection stats:
42233 total 19515 bad or no reverse DNS 18590 dynamic IP 2549 class bl-cbl 170 class bl-sdul 153 class bl-dsbl 101 class bl-njabl 93 class bl-ordb 84 class bl-sbl 46 class bl-spews
Oddly the total rejections are up from last week (along with the usual suspects of the top three individual reasons), despite overall connections being down.
Fifteen of the top 30 most rejected IP addresses were rejected more than
100 times, with the top one being 221.215.146.150 (217 times, for having
no reverse DNS). 22 of the top 30 are currently in the CBL and five are
currently listed in bl.spamcop.net
.
Hotmail is even quieter this week:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 5 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- no messages refused due to their origin IP address.
Of course, this is still six to nothing against Hotmail; whatever spam filtering they're doing is certainly not even close to 100% yet. (Especially given the one that was refused because it had already hit our spamtraps, since that shows that a spammer was able to keep on using Hotmail to spam more than once.)
And the closing numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
193 | 45 | 420 | 48 |
Bad bounces | 23 | 18 | 18 | 17 |
Bad HELO
s are nicely down this week (despite the terra.es machine,
which illustrates the danger of reading too much into these numbers
since they can fluctuate depending on when exactly I hurl people into
the kernel level blocks). Ironically, some of the most active bad
HELO
s are misconfigured internal machines here.
Almost all of the bad bounces this week are to old usernames that used
to exist here (or things that look enough like it to fool my memory
about our old logins). There's three bounces to noreply
, two bounces
to the first 38-character hex string and one to 88
.
|
|