Weekly spam summary on August 26th, 2006
Unfortunately, the SMTP listener was terminated for some reason Friday at 1pm, so some of the weekly stats are going to be way off. But having said that, there are some alarming numbers this week:
- got 12,863 messages from 215 different IP addresses.
- handled 19,196 sessions from 1,271 different IP addresses.
- received 201,196 connections from at least 9,670 different IP addresses since Friday at 1pm.
- hit a highwater of 5 connections being checked at once.
As of early Friday morning, we had had 118,411 connections from at least 35,756 different IP addresses, which would have put us more or less on course to be around last week apart from the surge. The surge has happened today, with 186,583 connections so far; evidently there is a spam storm on. Again.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 80.65.49.38 16707 1002K 218.0.0.0/11 15778 760K 203.98.72.39 10802 549K 213.4.149.12 9769 508K 200.68.120.76 4083 245K 61.128.0.0/10 3648 193K 216.240.128.98 3564 181K 221.186.189.8 3184 162K 212.216.176.0/24 3178 158K 203.250.131.121 2400 144K
Overall this is up significantly from last week, with three sources over 10,000 packets and one pretty close to it.
- 80.65.49.38 returns from last week, but this time around we blocked it for having bad reverse DNS. It's probably still trying to send us spam, though.
- 203.98.72.39, 200.68.120.76, and 221.186.189.8 have bad or missing reverse DNS.
- 213.4.149.12 returns from last week and many previous weeks.
The people at
terra.es
are nothing if not persistent with their badHELO
names. - 216.240.128.98 is on the CBL, as well as various other places.
- 203.250.131.121 kept trying to send us mail from an address that had already mailed our spamtraps.
Connection time rejection stats:
35854 total 17979 dynamic IP 14529 bad or no reverse DNS 2055 class bl-cbl 355 class bl-dsbl 159 class bl-sbl 149 class bl-sdul 147 class bl-njabl 68 class bl-spews 64 class bl-ordb
Six of the top 30 most rejected IP addresses were rejected 100 times
or more, with the winner being 66.127.96.194 (197 times, for being a
PacBell DSL line, and it's also in the CBL). 21 of the top 30 are
currently in the CBL, 8 are currently in bl.spamcop.net
, and one
is in the SBL.
If you guess that the SBL-listed IP address belongs to 'Cutting Edge Media', just like the last two weeks, you win a modest No-Prize. This week it was 208.32.133.156 that made the list, still part of SBL45150, and the other IP addresses seem to have given up.
The top six SBL listings by rejections, with commentary:
Count | Listing | Notes |
67 | SBL45150 | Cutting Edge Media |
24 | SBL45512 | Oh the embarrassment; this spam server farm is based in Toronto |
15 | SBL43698 | Part of Wanadoo Jordan. There's Wanadoo again. (See last week.) |
14 | SBL44886 | Listed for being a phish site (in July). Apparently it sends email too. |
11 | SBL44142 | Brazilian spam source. |
10 | SBL21868 | Advance fee fraud from a Brazilian webmail place. |
For all that I harsh on various foreign countries for being heavy spam sources, it's worth noting that the top two SBL rejection sources are North American.
(I'm Canadian, so I get to not count the US as a 'foreign country' in things like this.)
As expected, Hotmail's numbers have shifted this week:
- 6 messages accepted, at least one of which was spam.
- No messages rejected because they came from non-Hotmail email addresses.
- 42 messages sent to our spamtraps.
- 33 messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one for being from Telkom SA/SAIX, one for being from Ghana Telcom).
This is a dramatic jump from last week's numbers, and I am hoping that this is not the start of a trend.
And the final numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
1557 | 110 | 610 | 54 |
Bad bounces | 322 | 284 | 34 | 33 |
Evidence suggests that spammers have been forging various University
of Toronto domains as the origin address of their spam a lot this past
week. No particular source of bad HELO
names stands out a lot, and
almost all of the bad bounces were to random alphabet soup usernames
that got one bounce per username.
|
|