Weekly spam summary on July 1st, 2006

July 2, 2006

This week, we:

  • got 14,343 messages from 220 different IP addresses.
  • handled 18,078 sessions from 864 different IP addresses.
  • received 140,437 connections from at least 48,849 different IP addresses.
  • hit a highwater of 50 connections being checked at once (hit on Tuesday).

Unlike last week, we don't seem to have been hit with any particular spam fireworks for this Canada Day; volume is down, although not quite reaching what I consider an ordinary baseline these days. Per day:

Day Connections different IPs
Sunday 20,286 +8,834
Monday 26,389 +9,037
Tuesday 26,853 +9,416
Wednesday 17,032 +5,459
Thursday 20,850 +6,415
Friday 17,985 +6,091
Saturday 11,042 +3,597

People clearly poked us more than usual on Monday and Tuesday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
204.202.15.55         38386   1894K
204.202.252.105       12076    596K
213.4.149.12           9045    470K
218.0.0.0/11           7052    349K
218.254.82.97          6696    321K
204.202.22.191         6303    311K
61.128.0.0/10          6228    315K
212.216.176.0/24       5260    268K
199.239.233.177        4972    245K
220.160.0.0/11         4250    215K

I believe we have a new champion for persistence here, and things are overall up from last week.

  • 204.202.15.55, 204.202.252.105, and 204.202.22.191 tried to send us phish spam. Evidently a lot of phish spam.
  • 199.239.233.177 returns from last week, still shoveling the phish spam at us.
  • 213.4.149.12 is a terra.es machine with a bad HELO name. terra.es used to make these summaries on a regular basis (most recently here), but hasn't popped up in a while.
  • 218.254.82.97 returns from last week, still a hkcable.com.hk cablemodem.

Given this pattern, I have to wonder if some phish spammer is doing a mass scan of 204.202/16 looking for vulnerable systems to exploit. All three machines appear to be running 'Sendmail 8.13.6.20060614/8.13.1' on FreeBSD/i386 (and all three have telnet open).

Connection time rejection stats:

  42233 total
  19515 bad or no reverse DNS
  18590 dynamic IP
   2549 class bl-cbl
    170 class bl-sdul
    153 class bl-dsbl
    101 class bl-njabl
     93 class bl-ordb
     84 class bl-sbl
     46 class bl-spews

Oddly the total rejections are up from last week (along with the usual suspects of the top three individual reasons), despite overall connections being down.

Fifteen of the top 30 most rejected IP addresses were rejected more than 100 times, with the top one being 221.215.146.150 (217 times, for having no reverse DNS). 22 of the top 30 are currently in the CBL and five are currently listed in bl.spamcop.net.

Hotmail is even quieter this week:

  • no messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 5 messages sent to our spamtraps.
  • 1 message refused because its sender address had already hit our spamtraps.
  • no messages refused due to their origin IP address.

Of course, this is still six to nothing against Hotmail; whatever spam filtering they're doing is certainly not even close to 100% yet. (Especially given the one that was refused because it had already hit our spamtraps, since that shows that a spammer was able to keep on using Hotmail to spam more than once.)

And the closing numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 193 45 420 48
Bad bounces 23 18 18 17

Bad HELOs are nicely down this week (despite the terra.es machine, which illustrates the danger of reading too much into these numbers since they can fluctuate depending on when exactly I hurl people into the kernel level blocks). Ironically, some of the most active bad HELOs are misconfigured internal machines here.

Almost all of the bad bounces this week are to old usernames that used to exist here (or things that look enough like it to fool my memory about our old logins). There's three bounces to noreply, two bounces to the first 38-character hex string and one to 88.

Written on 02 July 2006.
« Link: The virtual furniture police
Why Solaris is not my favorite operating system »

Page tools: View Source.
Search:
Login: Password:

Last modified: Sun Jul 2 02:21:17 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.