Weekly spam summary on September 2nd, 2006

September 2, 2006

Our SMTP frontend survived all this week without problems, which was something of an accomplishment this week. Because this week, we:

  • got 13,546 messages from 227 different IP addresses.
  • handled 19,984 sessions from 1,283 different IP addresses.
  • received 1,419,542 connections from at least 52,806 different IP addresses.
  • hit a highwater of 9 connections being checked at once.

Yes, that is not a typo; this week we had a lot of SMTP connections, although none of the other numbers are up much compared to last week. It's not a continuation of the spam storm from last Saturday either, as the per-day numbers show:

Day Connections different IPs
Sunday 20,593 +7,285
Monday 23,676 +7,944
Tuesday 28,816 +9,029
Wednesday 252,349 +7,809
Thursday 712,787 +8,161
Friday 364,505 +7,540
Saturday 16,816 +5,038

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          10704    557K          4490    216K          3609    190K           2976    145K           2405    144K       2367    119K         2330    116K         2226    107K           2215    106K         2114    127K

The overall volume is down from last week, with only one entry really sticking out.

  • returns from last week and many prior weeks.
  •,, and had bad HELO greetings.
  • is 'mailout45.inetekk.com'. We have had prior dealings with inetekk that make us disinclined to ever accept email from them again.

Connection time rejection stats:

  38665 total
  18228 dynamic IP
  15060 bad or no reverse DNS
   2176 class bl-cbl
   1381 class bl-sbl
    547 class bl-dsbl
    280 class bl-njabl
    251 class bl-sdul
    159 class bl-spews
     84 class bl-ordb

Oddly, despite the huge connection volume there is no real growth in these stats compared to last week. I don't have any explanation for this.

Six of the top 30 most rejected IP addresses were rejected 100 times or more, with the leader being (197 times, rejected for having no reverse DNS). 15 of the top 30 are currently in the CBL, six are currently in bl.spamcop.net, and two are in the SBL.

Somewhat to my surprise only one of those two is our non-friends at Cutting Edge Media (this week reporting in from The other is, which is part of SBL21128, which is a /23 listing that is (to quote the listing) '419 scam sources in Senegal'. For extra displeasure, this listing was created November 14th, 2004.

Hotmail's stats this week are an improvement over last week:

  • 1 message accepted.
  • 1 message rejected because it came from a non-Hotmail email address; it was pretty certain to have been advance fee fraud spam.
  • 25 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one for being in the CBL, one for being from Cote d'Ivoire).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 2258 140 1557 110
Bad bounces 263 233 323 285

There were four people who sent 100 or more bad HELOs before being blocked, but the volume seems to be more or less fairly distributed; there are no single runaway sources.

The most popular bad username to send stuff to continues to be 'noreply', which perhaps shouldn't be surprising. In aggregate, the most popular bounce destination is random alphabetic strings, each one used only one time.

Written on 02 September 2006.
« Link: The Single Unix Specification et al
Why writing documentation is no fun »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Sep 2 23:40:34 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.