Weekly spam summary on August 12th, 2006

August 12, 2006

This week, we:

  • got 12,152 messages from 212 different IP addresses.
  • handled 16,255 sessions from 790 different IP addresses.
  • received 124,287 connections from at least 41,964 different IP addresses.
  • hit a highwater of 6 connections being checked at once.

This is down from last week. I don't expect it to stay that way, although I can hope that spammers take August vacations too. Speaking of vacations, the per day table is interesting this week:

Day Connections different IPs
Sunday 20,728 +7,446
Monday 22,408 +7,310
Tuesday 20,438 +6,516
Wednesday 18,853 +6,445
Thursday 17,164 +5,448
Friday 15,252 +5,560
Saturday 9,444 +3,239

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes       10466    516K           8151    424K         7544    372K         7294    322K         3555    171K          3374    167K          3193    149K          3079    154K          3037    154K           2688    161K

Although the high is lower, overall this is up from last week.

  • and got blocked for hammering on us with stuff that had already hit spamtraps, probably phish spam.
  • (bad HELO), (bad reverse DNS), and (bad reverse DNS) return from last week.
  • is an IP address in Panama without reverse DNS.

Connection time rejection stats:

  31230 total
  13988 bad or no reverse DNS
  13858 dynamic IP
   2242 class bl-cbl
    204 class bl-njabl
    147 class bl-sbl
    141 class bl-sdul
     95 class bl-dsbl
     77 class bl-ordb
     18 class bl-spews

I am starting to get curious about why the NJABL is such a consistent good performer for us. (Admittedly it is not by much compared to the CBL, but still.)

Only three out of the top 30 most rejected IP addresses were refused more than 100 times this week; the winner is (135 rejections, a Comcast cablemodem that is on a lot of DNSbls). 24 of the top 30 are currently in the CBL, 8 are currently in bl.spamcop.net, and one is in the SBL.

The one in the SBL appears to be a genuine spammer:, 'Cutting Edge Media', SBL45150 (which lists the entire /24). It provided 61 of the SBL hits this week; the big other contributors are (22 hits, SBL43698, caught scanning for vulnerable webforms that spammers exploit), (13 hits, SBL41338, spam source), and (11 hits, also Cutting Edge Media and SBL45150).

Hotmail slid right downhill this week:

  • 1 message accepted, and it was almost certainly spam.
  • 8 messages rejected because they came from non-Hotmail email addresses.
  • 15 messages sent to our spamtraps.
  • 4 messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one for being SBL42606, and for being in the CBL (among other problems)).

I'm not impressed.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 301 44 474 42
Bad bounces 25 23 28 25

And another week closes without any bounces trying to go to those mysterious 38-character hex strings.

Written on 12 August 2006.
« An unhappy spam milestone
The real Bourne shell problem »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Aug 12 22:00:20 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.