Weekly spam summary on July 22nd, 2006

July 23, 2006

We rebooted this server Monday around 6:50pm, so a number of the stats are truncated this week. Having said that, this week, we:

  • got 11,369 messages from 257 different IP addresses.
  • handled 15,931 sessions from 851 different IP addresses.
  • received 87,698 connections from at least 31,657 different IP addresses since Monday evening.
  • hit a highwater of 6 connections being checked at once since Monday evening.

It appears as if this week's connection volume is down significantly from last week. I have no particularly good explanation why, but I like it.

Kernel level packet filtering top ten since Monday evening:

Host/Mask           Packets   Bytes
213.4.149.12           9132    475K
81.88.225.210          7796    428K
218.0.0.0/11           6990    340K
212.216.176.0/24       4960    248K
210.54.141.0/24        4303    207K
61.128.0.0/10          3196    168K
129.206.210.211        2969    129K
72.244.103.210         2488    116K
128.121.94.189         2318    114K
204.181.35.187         2145    109K
  • 213.4.149.12 returns from last week.
  • 81.88.225.210 is mailupnet.it aka mailup.info aka people we have no interest in ever accepting email from again.
  • 129.206.210.211 and 128.121.94.189 both hit our spamtraps and kept on sending, likely with phish spam in both cases.
  • 72.244.103.210 is something we consider a covad.net 'dialup' machine.
  • 204.181.35.187 is on the NJABL.

Connection time rejection stats, from Monday evening:

  27275 total
  11820 dynamic IP
  11820 bad or no reverse DNS
   1696 class bl-cbl
    591 mailup.info
    243 class bl-njabl
    207 dartmail.net
    118 class bl-sdul
    108 class bl-dsbl
     92 class bl-sbl
     58 class bl-spews
     42 class bl-ordb

Five of the top 30 most rejected IP addresses were rejected more than 100 times; the winner is 81.88.225.210, rejected 591 times. 13 of the top 30 are currently in the CBL, six are currently in bl.spamcop.net, and one, 213.154.94.190, is in the SBL as part of SBL21129. It's an advance fee fraud spam source, of course.

Hotmail is backsliding. This week, it had:

  • no messages accepted.
  • 2 messages rejected because they came from non-Hotmail email addresses.
  • 14 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 3 messages refused due to their origin IP address being in the SBL. All three came from 66.178.40.27, in SBL27471, which has been listed since February 7th. Worse, the SBL page shows evidence of spam through Hotmail as far back as September 10th 2005.

I especially displeased by the 'rejected for being in the SBL' messages.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 307 45 1422 70
Bad bounces 38 34 127 108

I'm pleased to see this drop; evidently last week was just exceptional.

For the first time in a while, none of the various 38-character hex strings got any bounces. Instead, everything went to all of the other usual suspects.

(I am short on sleep, so this summary is more uninspired than usual.)


Comments on this page:

From 12.149.144.2 at 2006-08-23 18:26:45:

Dear Chirs Siebenmann, mailup.info (81.88.225.211) is an email service provider used by over 150 companies around the world, including Flashartonline.com, Alfa Romeo, Venezia City Hall, La Perla, Nomination, MyAir.com, Mercedes Benz, Jaguar, Symantec, Linux World Italy and many others. I do not think it should be blacklisted! Regards, The MailUp Technical Staff

By cks at 2006-09-09 09:33:39:

It's interesting that 'The MailUp Technical Staff', presumably belonging to an organization based in Italy, find it necessary to post a comment here from a US-based network.

[..] mailup.info (81.88.225.211) is an email service provider used by over 150 companies around the world, [...]

That says nothing about what they use it for. To be blunt, lots of companies spam out their marketing email through third parties, and there are lots of companies eager to send it for them. Some casual Google searching is not encouraging in this department.

(As you can tell, answering this sort of comment is not a high priority for me.)

From 213.156.52.103 at 2008-11-15 10:25:26:

MailUpnet is a ESP (email service provider) with a strict antispam policy. We serve about 1.000 companies around the world, with many important names (see our web page).

Our abuse desk promptly block every abusing customer, thats why we have a very high Sender Score reputation. Our policy is explained here, with also detailed infos for Postmasters:

http://www.mailup.it/email-marketing/Policy-antispam_ENG.asp

Regards, MailUp Abuse Desk

By cks at 2008-11-15 14:57:22:

The listed email marketing policy contains any number of warning signs that continue to leave me completely uninterested in accepting email from them. Completely legitimate emailing list handlers do not need to boast about how easy it is to unsubscribe from their services, for example.

(Although this time around, well over two years after the entry was written, the comment is being posted from an Italian IP address.)

I am no longer interested in providing a forum where MailUp may put forward claims that they are innocent. Future comments from MailUp will be summarily deleted.

Written on 23 July 2006.
« Solaris's sparseness
Walking away from Slashdot: a story of design »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Sun Jul 23 00:44:15 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.