Weekly spam summary on August 5th, 2006

August 5, 2006

This week, we:

  • got 12,245 messages from 230 different IP addresses.
  • handled 16,343 sessions from 801 different IP addresses.
  • received 141,499 connections from at least 42,169 different IP addresses.
  • hit a highwater of 7 connections being checked at once.

This is down slightly from last week. We will probably see variations in accepted messages all August, since this is both doldrums and panic time at universities. The per day figures:

Day Connections different IPs
Sunday 18,437 +6,800
Monday 23,100 +7,321
Tuesday 20,005 +6,048
Wednesday 19,753 +5,055
Thursday 21,940 +6,772
Friday 24,820 +6,628
Saturday 13,444 +3,545

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
203.62.232.83         14645    745K
213.4.149.12           6550    341K
210.245.60.162         5705    254K
62.212.90.203          3219    159K
220.160.0.0/11         2743    138K
212.216.176.0/24       2542    128K
61.128.0.0/10          2375    119K
213.129.201.64         2208    106K
218.0.0.0/11           2199    110K
80.128.0.0/12          2148    108K

The top is up a lot but the rest is down a bit from last week.

  • 203.62.232.83 and 210.245.60.162 are APNIC IP addresses with no reverse DNS; the former in Australia, the latter in Vietnam (and on bl.spamcop.net).
  • 213.4.149.12 (bad HELO), 62.212.90.203 (bad reverse DNS), and 213.129.201.64 (bad HELO) return from last week.

Connection time rejection stats:

  34294 total
  17031 dynamic IP
  13730 bad or no reverse DNS
   2243 class bl-cbl
    251 class bl-njabl
    190 class bl-sdul
    105 class bl-sbl
    102 class bl-ordb
     97 class bl-spews
     61 class bl-dsbl

Out of the 30 most rejected IP addresses, 3 were rejected more than 100 times; 66.168.202.47 (763 times, charter.com cablemodem, on the CBL et al), 210.245.60.162 (195 times), and 221.127.187.13 (129 times, Hong Kong with no reverse DNS, on the CBL et al). 16 of the top 30 are currently in the CBL, and 8 are currently in bl.spamcop.net.

Hotmail has slightly improved from last week:

  • no messages accepted.
  • 6 messages rejected because they came from non-Hotmail email addresses.
  • 11 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • no messages refused due to their origin IP address.

As with last week, all of the 'non-Hotmail email addresses' are other Hotmail properties. While less suggestive than last week's, none of the usernames fill me with great joy and confidence that they are real people (or at least real people located somewhere besides a Nigerian cybercafe).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 474 42 528 44
Bad bounces 28 25 38 26

This week, there are no really outstanding sources of bad HELO names (and, since I have looked, no really hysterically absurd ones either).

Bad bounce destinations are much like last week, and just like last week the spammer using the 38-character hex strings seems to have stayed gone. I have to confess I sort of miss them; they injected a certain dose of surreality into the proceedings.

Written on 05 August 2006.
« My current set of Firefox extensions
A fun little regular expression bug »

Page tools: View Source.
Search:
Login: Password:

Last modified: Sat Aug 5 23:00:40 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.