Weekly spam summary on July 8th, 2006

July 9, 2006

This week, we:

  • got 13,932 messages from 204 different IP addresses.
  • handled 17,417 sessions from 865 different IP addresses.
  • received 161,727 connections from at least 52,444 different IP addresses.
  • hit a highwater of 50 connections being checked at once (hit on Friday).

This is about the same as last week, allowing for random variation. The per day table is mostly but not entirely flat, so I'm going to include it:

Day Connections different IPs
Sunday 20,708 +8,590
Monday 24,100 +6,710
Tuesday 23,664 +7,986
Wednesday 27,001 +9,007
Thursday 22,281 +6,807
Friday 25,757 +7,995
Saturday 18,216 +5,349

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes           9919    485K          7007    367K           6328    329K           5037    235K           4932    237K          4189    201K             4155    201K       4030    203K           3774    181K         3680    182K

Volume is down from last week, only partly because the two big point sources went away, and this week the top two spots are claimed by Chinese netblocks instead of individual IP addresses.

  • returns from last week, still with a bad HELO name.
  • and also have bad HELO names.
  • was listed in the NJABL (but no longer is).
  •, a very active hkcable.com.hk cablemodem, returns from last week.
  • is listed in the SORBS DUL list (and is currently in bl.spamcop.net).

Connection time rejection stats:

  55159 total
  29576 dynamic IP
  21628 bad or no reverse DNS
   2631 class bl-cbl
    230 class bl-njabl
    154 class bl-sdul
    135 class bl-spews
    124 class bl-sbl
     87 class bl-dsbl
     10 class bl-ordb

This is a striking jump up from last week for only a relatively moderate increase in overall connection volume. I suspect that spammers may be having their zombies get more persistent to overcome greylisting; oh well, very little lasts forever in the antispam world.

All 30 of the 30 most rejected IP addresses were rejected more than a hundred times; the champion is, with 1247 rejections, and with this latest episode it's now earned a permanent place in our kernel IP filters. 27 of the 30 are currently in the CBL, and six are in bl.spamcop.net.

Hotmail had a so-so week, and I've discovered that some of my past stats around the start of each month may have been inaccurate. This week's numbers:

  • no messages accepted.
  • 4 messages rejected because they came from non-Hotmail email addresses.
  • 14 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • no messages refused due to their origin IP address.

That's a lot of mail to our spamtraps, and I'm not too happy about it. Hotmail may be stopping spammers relatively fast, but it's clearly letting them send some spam to start with.

And the closing numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 608 56 193 45
Bad bounces 88 62 23 18

Both of these are up significantly from last week, and I suspect that it's the same root cause: spammers are forging us on their spam more actively. There is no single source of bad HELOs that stands out a lot (the winner is aka 'pascor01.Pascor.local', but with only 85 rejections).

This week sees a new 38-character hex digit appear in the bad bounces, 8B407639D45C5742ADD3987F7E013C41178B66. Apart from that, there's a lot more variety this week, with 54 different usernames ranging from long-dead accounts to plausible accounts to random alphanumeric sequences like 'zfqbxbgm330'; the random alphanumerics are the predominant group. Interesting, the only all-digit username this week was '0'.

Written on 09 July 2006.
« The problem of IT winning arguments
A suggestion for people with 'Out of Office' autoreplies »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jul 9 02:37:13 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.