Weekly spam summary on August 26th, 2006
Unfortunately, the SMTP listener was terminated for some reason Friday at 1pm, so some of the weekly stats are going to be way off. But having said that, there are some alarming numbers this week:
- got 12,863 messages from 215 different IP addresses.
- handled 19,196 sessions from 1,271 different IP addresses.
- received 201,196 connections from at least 9,670 different IP addresses since Friday at 1pm.
- hit a highwater of 5 connections being checked at once.
As of early Friday morning, we had had 118,411 connections from at least 35,756 different IP addresses, which would have put us more or less on course to be around last week apart from the surge. The surge has happened today, with 186,583 connections so far; evidently there is a spam storm on. Again.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 16707 1002K 188.8.131.52/11 15778 760K 184.108.40.206 10802 549K 220.127.116.11 9769 508K 18.104.22.168 4083 245K 22.214.171.124/10 3648 193K 126.96.36.199 3564 181K 188.8.131.52 3184 162K 184.108.40.206/24 3178 158K 220.127.116.11 2400 144K
Overall this is up significantly from last week, with three sources over 10,000 packets and one pretty close to it.
- 18.104.22.168 returns from last week, but this time around we blocked it for having bad reverse DNS. It's probably still trying to send us spam, though.
- 22.214.171.124, 126.96.36.199, and 188.8.131.52 have bad or missing reverse DNS.
- 184.108.40.206 returns from last week and many previous weeks.
The people at
terra.esare nothing if not persistent with their bad
- 220.127.116.11 is on the CBL, as well as various other places.
- 18.104.22.168 kept trying to send us mail from an address that had already mailed our spamtraps.
Connection time rejection stats:
35854 total 17979 dynamic IP 14529 bad or no reverse DNS 2055 class bl-cbl 355 class bl-dsbl 159 class bl-sbl 149 class bl-sdul 147 class bl-njabl 68 class bl-spews 64 class bl-ordb
Six of the top 30 most rejected IP addresses were rejected 100 times
or more, with the winner being 22.214.171.124 (197 times, for being a
PacBell DSL line, and it's also in the CBL). 21 of the top 30 are
currently in the CBL, 8 are currently in
bl.spamcop.net, and one
is in the SBL.
If you guess that the SBL-listed IP address belongs to 'Cutting Edge Media', just like the last two weeks, you win a modest No-Prize. This week it was 126.96.36.199 that made the list, still part of SBL45150, and the other IP addresses seem to have given up.
The top six SBL listings by rejections, with commentary:
|67||SBL45150||Cutting Edge Media|
|24||SBL45512||Oh the embarrassment; this spam server farm is based in Toronto|
|15||SBL43698||Part of Wanadoo Jordan. There's Wanadoo again. (See last week.)|
|14||SBL44886||Listed for being a phish site (in July). Apparently it sends email too.|
|11||SBL44142||Brazilian spam source.|
|10||SBL21868||Advance fee fraud from a Brazilian webmail place.|
For all that I harsh on various foreign countries for being heavy spam sources, it's worth noting that the top two SBL rejection sources are North American.
(I'm Canadian, so I get to not count the US as a 'foreign country' in things like this.)
As expected, Hotmail's numbers have shifted this week:
- 6 messages accepted, at least one of which was spam.
- No messages rejected because they came from non-Hotmail email addresses.
- 42 messages sent to our spamtraps.
- 33 messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one for being from Telkom SA/SAIX, one for being from Ghana Telcom).
This is a dramatic jump from last week's numbers, and I am hoping that this is not the start of a trend.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Evidence suggests that spammers have been forging various University
of Toronto domains as the origin address of their spam a lot this past
week. No particular source of bad
HELO names stands out a lot, and
almost all of the bad bounces were to random alphabet soup usernames
that got one bounce per username.