Weekly spam summary on August 26th, 2006

August 26, 2006

Unfortunately, the SMTP listener was terminated for some reason Friday at 1pm, so some of the weekly stats are going to be way off. But having said that, there are some alarming numbers this week:

  • got 12,863 messages from 215 different IP addresses.
  • handled 19,196 sessions from 1,271 different IP addresses.
  • received 201,196 connections from at least 9,670 different IP addresses since Friday at 1pm.
  • hit a highwater of 5 connections being checked at once.

As of early Friday morning, we had had 118,411 connections from at least 35,756 different IP addresses, which would have put us more or less on course to be around last week apart from the surge. The surge has happened today, with 186,583 connections so far; evidently there is a spam storm on. Again.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
80.65.49.38           16707   1002K
218.0.0.0/11          15778    760K
203.98.72.39          10802    549K
213.4.149.12           9769    508K
200.68.120.76          4083    245K
61.128.0.0/10          3648    193K
216.240.128.98         3564    181K
221.186.189.8          3184    162K
212.216.176.0/24       3178    158K
203.250.131.121        2400    144K

Overall this is up significantly from last week, with three sources over 10,000 packets and one pretty close to it.

  • 80.65.49.38 returns from last week, but this time around we blocked it for having bad reverse DNS. It's probably still trying to send us spam, though.
  • 203.98.72.39, 200.68.120.76, and 221.186.189.8 have bad or missing reverse DNS.
  • 213.4.149.12 returns from last week and many previous weeks. The people at terra.es are nothing if not persistent with their bad HELO names.
  • 216.240.128.98 is on the CBL, as well as various other places.
  • 203.250.131.121 kept trying to send us mail from an address that had already mailed our spamtraps.

Connection time rejection stats:

  35854 total
  17979 dynamic IP
  14529 bad or no reverse DNS
   2055 class bl-cbl
    355 class bl-dsbl
    159 class bl-sbl
    149 class bl-sdul
    147 class bl-njabl
     68 class bl-spews
     64 class bl-ordb

Six of the top 30 most rejected IP addresses were rejected 100 times or more, with the winner being 66.127.96.194 (197 times, for being a PacBell DSL line, and it's also in the CBL). 21 of the top 30 are currently in the CBL, 8 are currently in bl.spamcop.net, and one is in the SBL.

If you guess that the SBL-listed IP address belongs to 'Cutting Edge Media', just like the last two weeks, you win a modest No-Prize. This week it was 208.32.133.156 that made the list, still part of SBL45150, and the other IP addresses seem to have given up.

The top six SBL listings by rejections, with commentary:

Count Listing Notes
67 SBL45150 Cutting Edge Media
24 SBL45512 Oh the embarrassment; this spam server farm is based in Toronto
15 SBL43698 Part of Wanadoo Jordan. There's Wanadoo again. (See last week.)
14 SBL44886 Listed for being a phish site (in July). Apparently it sends email too.
11 SBL44142 Brazilian spam source.
10 SBL21868 Advance fee fraud from a Brazilian webmail place.

For all that I harsh on various foreign countries for being heavy spam sources, it's worth noting that the top two SBL rejection sources are North American.

(I'm Canadian, so I get to not count the US as a 'foreign country' in things like this.)

As expected, Hotmail's numbers have shifted this week:

  • 6 messages accepted, at least one of which was spam.
  • No messages rejected because they came from non-Hotmail email addresses.
  • 42 messages sent to our spamtraps.
  • 33 messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one for being from Telkom SA/SAIX, one for being from Ghana Telcom).

This is a dramatic jump from last week's numbers, and I am hoping that this is not the start of a trend.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1557 110 610 54
Bad bounces 322 284 34 33

Evidence suggests that spammers have been forging various University of Toronto domains as the origin address of their spam a lot this past week. No particular source of bad HELO names stands out a lot, and almost all of the bad bounces were to random alphabet soup usernames that got one bounce per username.

Written on 26 August 2006.
« Please don't use session cookies
Documentation is not free »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Aug 26 23:03:52 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.