Weekly spam summary on July 1st, 2006
This week, we:
- got 14,343 messages from 220 different IP addresses.
- handled 18,078 sessions from 864 different IP addresses.
- received 140,437 connections from at least 48,849 different IP addresses.
- hit a highwater of 50 connections being checked at once (hit on Tuesday).
Unlike last week, we don't seem to have been hit with any particular spam fireworks for this Canada Day; volume is down, although not quite reaching what I consider an ordinary baseline these days. Per day:
People clearly poked us more than usual on Monday and Tuesday.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 38386 1894K 188.8.131.52 12076 596K 184.108.40.206 9045 470K 220.127.116.11/11 7052 349K 18.104.22.168 6696 321K 22.214.171.124 6303 311K 126.96.36.199/10 6228 315K 188.8.131.52/24 5260 268K 184.108.40.206 4972 245K 220.127.116.11/11 4250 215K
I believe we have a new champion for persistence here, and things are overall up from last week.
- 18.104.22.168, 22.214.171.124, and 126.96.36.199 tried to send us phish spam. Evidently a lot of phish spam.
- 188.8.131.52 returns from last week, still shoveling the phish spam at us.
- 184.108.40.206 is a
terra.esmachine with a bad
HELOname. terra.es used to make these summaries on a regular basis (most recently here), but hasn't popped up in a while.
- 220.127.116.11 returns from last week, still a hkcable.com.hk cablemodem.
Given this pattern, I have to wonder if some phish spammer is doing a mass scan of 204.202/16 looking for vulnerable systems to exploit. All three machines appear to be running 'Sendmail 18.104.22.16860614/8.13.1' on FreeBSD/i386 (and all three have telnet open).
Connection time rejection stats:
42233 total 19515 bad or no reverse DNS 18590 dynamic IP 2549 class bl-cbl 170 class bl-sdul 153 class bl-dsbl 101 class bl-njabl 93 class bl-ordb 84 class bl-sbl 46 class bl-spews
Oddly the total rejections are up from last week (along with the usual suspects of the top three individual reasons), despite overall connections being down.
Fifteen of the top 30 most rejected IP addresses were rejected more than
100 times, with the top one being 22.214.171.124 (217 times, for having
no reverse DNS). 22 of the top 30 are currently in the CBL and five are
currently listed in
Hotmail is even quieter this week:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 5 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- no messages refused due to their origin IP address.
Of course, this is still six to nothing against Hotmail; whatever spam filtering they're doing is certainly not even close to 100% yet. (Especially given the one that was refused because it had already hit our spamtraps, since that shows that a spammer was able to keep on using Hotmail to spam more than once.)
And the closing numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
HELOs are nicely down this week (despite the terra.es machine,
which illustrates the danger of reading too much into these numbers
since they can fluctuate depending on when exactly I hurl people into
the kernel level blocks). Ironically, some of the most active bad
HELOs are misconfigured internal machines here.
Almost all of the bad bounces this week are to old usernames that used
to exist here (or things that look enough like it to fool my memory
about our old logins). There's three bounces to
noreply, two bounces
to the first 38-character hex string and one to