Weekly spam summary on September 23rd, 2006
This week, we:
- got 15,623 messages from 253 different IP addresses.
- handled 19,363 sessions from 969 different IP addresses.
- received 166,319 connections from at least 46,095 different IP addresses.
- hit a highwater of 8 connections being checked at once.
This makes volume a bit up from last week. Volume fluctuates a bit during the week:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 96915 5040K 188.8.131.52/24 6637 302K 184.108.40.206 4428 266K 220.127.116.11 4341 221K 18.104.22.168 4147 249K 22.214.171.124/10 3756 208K 126.96.36.199 2734 164K 188.8.131.52 2522 151K 184.108.40.206 2364 142K 220.127.116.11 2213 133K
Apart from the top IP, overall volume is down a bit from last week. Of course, that's a big 'apart from' qualification, considering that mailhost.terra.es outweighs the entire rest of the list combined.
- 18.104.22.168 may give up someday, but evidently not this week; it reappears from last week, this time due to permanent blocks.
- 22.214.171.124 is listed in SPEWS, plus it's a webmail source that we block. (It's made our lists before.)
- 126.96.36.199 and 188.8.131.52 were blocked because of missing reverse DNS; their general network areas have annoyed us enough that we insist on good rDNS as a minimum standard from them.
- 184.108.40.206 and 220.127.116.11 are freenet.de machines, blocked for trying to keep sending us spam that had hit our spamtraps. I suspect that they've fallen afoul of an advance fee fraud spam gang.
- 18.104.22.168 also kept trying to send us stuff that had tripped our spamtraps.
- 22.214.171.124 returns from earlier in September,
still with a bad
Connection time rejection stats:
37577 total 18701 dynamic IP 14979 bad or no reverse DNS 2252 class bl-cbl 451 class bl-dsbl 304 class bl-sdul 167 class bl-njabl 147 class bl-sbl 92 class bl-spews 75 cuttingedgemedia.com 66 class bl-ordb
It's interesting that the SBL didn't drop compared to last week, even after I blocked Cutting Edge Media specifically so that they no longer added to the SBL stats. The SBL rejections source stats are highly skewed this week:
Even better, according to Spamhaus, the first two SBL listings are for the same people (I think Spamhaus split them because they're two separate subnets). In a break with the usual pattern, none of these seem to be advance fee fraud spammers.
Only three out of the top 30 most rejected IP addresses were
rejected 100 times or more; the leader was 126.96.36.199 (153
times). 20 of the top 30 are currently in the CBL, 4 are
bl.spamcop.net, and two are currently in the
SBL (188.8.131.52, part of Cutting Edge Media's SBL45150,
and 184.108.40.206, part of SBL29986).
(Because they were rejected for other reasons than being in the SBL, neither shows up in the SBL rejection source table. We tend to check DNS blocklists fairly late, mostly to reduce the load on the DNSbl operators.)
The Hotmail stats for this week are:
- 4 messages accepted, at least three of which were completely legitimate.
- no messages rejected because they came from non-Hotmail email addresses.
- 16 messages sent to our spamtraps.
- 1 message refused because its sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one from Cote D'Ivoire, one from Burkina Faso).
This is at least better than last week. (The high volume of legitimate messages is from students mailing a contact address to report a problem with one of the systems we run. Why students like free webmail providers so much is another entry.)
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Evidently the bad
HELO people were more persistent this week than
last week; there is no single really big source, at least by my
standards. (The most active is 220.127.116.11, with 90 attempts,
then 18.104.22.168 with 57.)
The only unusual thing in the bad bounce usernames is a few rejections
to things that could be very short hex strings;
E07. But that's probably just spammer randomness in action.