Weekly spam summary on September 23rd, 2006

September 24, 2006

This week, we:

  • got 15,623 messages from 253 different IP addresses.
  • handled 19,363 sessions from 969 different IP addresses.
  • received 166,319 connections from at least 46,095 different IP addresses.
  • hit a highwater of 8 connections being checked at once.

This makes volume a bit up from last week. Volume fluctuates a bit during the week:

Day Connections different IPs
Sunday 19,635 +5,249
Monday 26,483 +7,442
Tuesday 25,539 +6,591
Wednesday 24,684 +6,159
Thursday 29,565 +9,375
Friday 24,301 +6,778
Saturday 16,112 +4,501

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          96915   5040K        6637    302K         4428    266K         4341    221K          4147    249K          3756    208K          2734    164K           2522    151K         2364    142K          2213    133K

Apart from the top IP, overall volume is down a bit from last week. Of course, that's a big 'apart from' qualification, considering that mailhost.terra.es outweighs the entire rest of the list combined.

  • may give up someday, but evidently not this week; it reappears from last week, this time due to permanent blocks.
  • is listed in SPEWS, plus it's a webmail source that we block. (It's made our lists before.)
  • and were blocked because of missing reverse DNS; their general network areas have annoyed us enough that we insist on good rDNS as a minimum standard from them.
  • and are freenet.de machines, blocked for trying to keep sending us spam that had hit our spamtraps. I suspect that they've fallen afoul of an advance fee fraud spam gang.
  • also kept trying to send us stuff that had tripped our spamtraps.
  • returns from earlier in September, still with a bad HELO greeting.

Connection time rejection stats:

  37577 total
  18701 dynamic IP
  14979 bad or no reverse DNS
   2252 class bl-cbl
    451 class bl-dsbl
    304 class bl-sdul
    167 class bl-njabl
    147 class bl-sbl
     92 class bl-spews
     75 cuttingedgemedia.com
     66 class bl-ordb

It's interesting that the SBL didn't drop compared to last week, even after I blocked Cutting Edge Media specifically so that they no longer added to the SBL stats. The SBL rejections source stats are highly skewed this week:

Count SBL Listing
80 SBL46744
41 SBL46750
9 SBL46698
7 SBL46020
4 SBL20671

Even better, according to Spamhaus, the first two SBL listings are for the same people (I think Spamhaus split them because they're two separate subnets). In a break with the usual pattern, none of these seem to be advance fee fraud spammers.

Only three out of the top 30 most rejected IP addresses were rejected 100 times or more; the leader was (153 times). 20 of the top 30 are currently in the CBL, 4 are currently in bl.spamcop.net, and two are currently in the SBL (, part of Cutting Edge Media's SBL45150, and, part of SBL29986).

(Because they were rejected for other reasons than being in the SBL, neither shows up in the SBL rejection source table. We tend to check DNS blocklists fairly late, mostly to reduce the load on the DNSbl operators.)

The Hotmail stats for this week are:

  • 4 messages accepted, at least three of which were completely legitimate.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 16 messages sent to our spamtraps.
  • 1 message refused because its sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one from Cote D'Ivoire, one from Burkina Faso).

This is at least better than last week. (The high volume of legitimate messages is from students mailing a contact address to report a problem with one of the systems we run. Why students like free webmail providers so much is another entry.)

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 495 60 264 42
Bad bounces 60 52 57 51

Evidently the bad HELO people were more persistent this week than last week; there is no single really big source, at least by my standards. (The most active is, with 90 attempts, then with 57.)

The only unusual thing in the bad bounce usernames is a few rejections to things that could be very short hex strings; 3E4B, E7D6, and E07. But that's probably just spammer randomness in action.

Written on 24 September 2006.
« A NFS mount accident on Linux
Two approaches to Unix environments »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Sep 24 02:01:32 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.