Weekly spam summary on September 23rd, 2006

September 24, 2006

This week, we:

  • got 15,623 messages from 253 different IP addresses.
  • handled 19,363 sessions from 969 different IP addresses.
  • received 166,319 connections from at least 46,095 different IP addresses.
  • hit a highwater of 8 connections being checked at once.

This makes volume a bit up from last week. Volume fluctuates a bit during the week:

Day Connections different IPs
Sunday 19,635 +5,249
Monday 26,483 +7,442
Tuesday 25,539 +6,591
Wednesday 24,684 +6,159
Thursday 29,565 +9,375
Friday 24,301 +6,778
Saturday 16,112 +4,501

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          96915   5040K
193.70.192.0/24        6637    302K
193.252.22.158         4428    266K
212.130.19.148         4341    221K
194.97.50.131          4147    249K
61.128.0.0/10          3756    208K
207.44.164.58          2734    164K
80.51.32.242           2522    151K
212.175.13.129         2364    142K
194.97.50.132          2213    133K

Apart from the top IP, overall volume is down a bit from last week. Of course, that's a big 'apart from' qualification, considering that mailhost.terra.es outweighs the entire rest of the list combined.

  • 213.4.149.12 may give up someday, but evidently not this week; it reappears from last week, this time due to permanent blocks.
  • 193.252.22.158 is listed in SPEWS, plus it's a webmail source that we block. (It's made our lists before.)
  • 212.130.19.148 and 80.51.32.242 were blocked because of missing reverse DNS; their general network areas have annoyed us enough that we insist on good rDNS as a minimum standard from them.
  • 194.97.50.131 and 194.97.50.132 are freenet.de machines, blocked for trying to keep sending us spam that had hit our spamtraps. I suspect that they've fallen afoul of an advance fee fraud spam gang.
  • 207.44.164.58 also kept trying to send us stuff that had tripped our spamtraps.
  • 212.175.13.129 returns from earlier in September, still with a bad HELO greeting.

Connection time rejection stats:

  37577 total
  18701 dynamic IP
  14979 bad or no reverse DNS
   2252 class bl-cbl
    451 class bl-dsbl
    304 class bl-sdul
    167 class bl-njabl
    147 class bl-sbl
     92 class bl-spews
     75 cuttingedgemedia.com
     66 class bl-ordb

It's interesting that the SBL didn't drop compared to last week, even after I blocked Cutting Edge Media specifically so that they no longer added to the SBL stats. The SBL rejections source stats are highly skewed this week:

Count SBL Listing
80 SBL46744
41 SBL46750
9 SBL46698
7 SBL46020
4 SBL20671

Even better, according to Spamhaus, the first two SBL listings are for the same people (I think Spamhaus split them because they're two separate subnets). In a break with the usual pattern, none of these seem to be advance fee fraud spammers.

Only three out of the top 30 most rejected IP addresses were rejected 100 times or more; the leader was 65.71.178.17 (153 times). 20 of the top 30 are currently in the CBL, 4 are currently in bl.spamcop.net, and two are currently in the SBL (217.107.125.134, part of Cutting Edge Media's SBL45150, and 217.107.125.134, part of SBL29986).

(Because they were rejected for other reasons than being in the SBL, neither shows up in the SBL rejection source table. We tend to check DNS blocklists fairly late, mostly to reduce the load on the DNSbl operators.)

The Hotmail stats for this week are:

  • 4 messages accepted, at least three of which were completely legitimate.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 16 messages sent to our spamtraps.
  • 1 message refused because its sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one from Cote D'Ivoire, one from Burkina Faso).

This is at least better than last week. (The high volume of legitimate messages is from students mailing a contact address to report a problem with one of the systems we run. Why students like free webmail providers so much is another entry.)

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 495 60 264 42
Bad bounces 60 52 57 51

Evidently the bad HELO people were more persistent this week than last week; there is no single really big source, at least by my standards. (The most active is 212.42.164.253, with 90 attempts, then 64.65.197.32 with 57.)

The only unusual thing in the bad bounce usernames is a few rejections to things that could be very short hex strings; 3E4B, E7D6, and E07. But that's probably just spammer randomness in action.

Written on 24 September 2006.
« A NFS mount accident on Linux
Two approaches to Unix environments »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Sep 24 02:01:32 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.