Weekly spam summary on October 7th, 2006

October 7, 2006

This week, we:

  • got 15,275 messages from 261 different IP addresses.
  • handled 21,183 sessions from 1,301 different IP addresses.
  • received 172,030 connections from at least 42,834 different IP addresses.
  • hit a highwater of 18 connections being checked at once.

Volume is up somewhat from last week, but not hugely. The per day volume level fluctuates significantly:

Day Connections different IPs
Sunday 21,990 +6,449
Monday 22,389 +5,870
Tuesday 29,916 +7,132
Wednesday 28,204 +6,269
Thursday 25,631 +5,934
Friday 23,374 +5,615
Saturday 20,526 +5,565

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          58339   3034K          7377    375K           6280    304K         5769    346K          4989    282K            4762    242K         3663    181K         3200    176K          3154    176K           2901    174K

The overall numbers are up somewhat from last week.

  •,, and return from last week, with terra.es continuing to totally, totally own first place.
  • is a proxad.net dialup.
  • is listed in NJABL; it appears to be yet another webmail advance fee fraud spam source.
  • is a leivo.ru machine, and we've decided not to talk to them any more because they're a source of annoying backscatter.
  • is currently in the CBL.

Connection time rejection stats:

  35477 total
  17818 dynamic IP
  14475 bad or no reverse DNS
   1712 class bl-cbl
    262 class bl-dsbl
    217 class bl-sdul
    205 class bl-njabl
     80 class bl-spews
     47 class bl-ordb
     39 class bl-sbl

This week marks the first week that Cutting Edge Media has left us alone. If it keeps up, I may hold a modest celebration.

One out of the top 30 most rejected IP addresses was rejected more than 100 times:, a RoadRunner cablemodem, at 184 times (it is also in the CBL). 23 of the top 30 most rejected IP addresses are currently in the CBL and 6 are currently in bl.spamcop.net. Because I can, I'll do a table of the top SBL rejections:

14 SBL29986 RTComm.RU /15 escalation listing
8 SBL41338 Advance fee fraud spam source
7 SBL47129 Phish spam source
3 SBL30022 RTComm.RU /16 escalation listing

I'd say I'm detecting a trend here, but it's not anything new, so I'm more confirming it.

This week, Hotmail brought to us:

  • 4 messages accepted, at least two of which were spam (again coming from what is probably a tm.net.my ADSL line; I guess I'll add them to the banned sources list).
  • no messages rejected because they came from non-Hotmail email addresses.
  • 27 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one for being in SBL33810 and the other for being from the Cote d'Ivoire).

I can't say I'm very happy about the continued spam from the Hotmail plus tm.net.my combination (they did it last week too). But then I'm usually not very happy with Hotmail in general.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1532 118 718 66
Bad bounces 358 317 127 88

Colour me displeased with the increase. No particular source of bad HELOs stands out; there were just more of them (although the average number of bad HELOs per IP address went up).

On the bad bounces, last week's pattern pretty much repeats, mixed in with the random alphanumeric usernames from earlier weeks. This time I looked at the sources of the bounces; it seems that most of the Russian female name bounces are coming from the Eastern Europe area. There was one bounce to 3E4B.

Written on 07 October 2006.
« A Python quoting irritation
A reason to read blogs in reverse chronological order »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Oct 7 23:33:09 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.