Weekly spam summary on July 29th, 2006

July 30, 2006

This week, we:

  • got 12,284 messages from 218 different IP addresses.
  • handled 17,177 sessions from 899 different IP addresses.
  • received 152,193 connections from at least 48,479 different IP addresses.
  • hit a highwater of 7 connections being checked at once.

Most of these are up somewhat from last week, although they're within the levels that I've come to think of as 'normal variation'. The day to day figures were quite variable:

Day Connections different IPs
Sunday 15,872 +6,909
Monday 22,221 +6,672
Tuesday 26,190 +7,950
Wednesday 22,421 +6,288
Thursday 23,553 +7,173
Friday 26,121 +8,609
Saturday 15,815 +4,878

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes           7102    369K       5702    287K          4275    235K          3960    195K          3900    197K          3685    221K         2800    140K           2529    126K             2496    120K        2395    115K

This is more or less around the expected levels.

  • and reappear from last week.
  • has inconsistent reverse DNS, and we don't accept that from its network area. (It's also currently in bl.spamcop.net.)
  • tried to keep sending stuff with a MAIL FROM that had tripped our spamtraps.
  • uses a bad HELO name. Since that's Telefonica IP space and it has no reverse DNS, next week it will be banned for that.
  • is xtra.co.nz outgoing mail machines, which tried to keep sending stuff with a MAIL FROM that had tripped our spamtraps. Given that the username of the MAIL FROM is 'uk_winner', I think I can safely chalk up yet another badly managed webmail system.

Connection time rejection stats:

  38282 total
  19078 dynamic IP
  15363 bad or no reverse DNS
   2583 class bl-cbl
    246 class bl-njabl
    165 class bl-sdul
    123 mailup.info
     80 class bl-sbl
     67 class bl-dsbl
     33 class bl-spews
     27 class bl-ordb

Out of the top 30 most rejected IP addresses, 7 were rejected more than 100 times; the champion is (an interbusiness.it IP address) with 419 rejections. 18 of the top 30 are currently in the CBL and six are currently in bl.spamcop.net.

Hotmail's numbers got worse this week:

  • no messages accepted.
  • 11 messages rejected because they came from non-Hotmail email addresses.
  • 15 messages sent to our spamtraps.
  • 5 messages refused because their sender addresses had already hit our spamtraps.
  • 1 messages refused due to its origin IP address being a telkom.co.za IP address.

All of the 'non-Hotmail' addresses rejected were from either msn.com or one of the non-US Hotmail domains. However, almost all of the usernames are typical of advance fee fraud spam usernames (things like 'britishinternational_lottery04' and 'dr_charis_adam13'), so I don't think we're missing much.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 528 44 307 45
Bad bounces 38 26 38 34

The leading bad HELO source is, with 135 rejections.

In a surprise, this week we got no bounces to any of the three 38-character hex strings. We did get bounces to all of the other usual suspects, with the most-hit username being 'noreply' (5 bounces).

Written on 30 July 2006.
« Link: Ten Risks of PKI
XHTML on the web is for masochists »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jul 30 00:29:00 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.