Weekly spam summary on October 28th, 2006
This week, we:
- got 14,982 messages from 288 different IP addresses.
- handled 21,920 sessions from 1,294 different IP addresses.
- received 193,231 connections from at least 46,305 different IP addresses.
- hit a highwater of 11 connections being checked at once.
(It's a peculiar feeling to be reminded that I've been doing these weekly spam summaries for well over a year now.)
The per day table is relatively straightforward, although there is a dip on Wednesday. As usual, I have no explanation for any of this.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 25115 1306K 188.8.131.52 24818 1224K 184.108.40.206 22088 1325K 220.127.116.11 11936 716K 18.104.22.168 7878 369K 22.214.171.124 6171 370K 126.96.36.199 5313 262K 188.8.131.52 5070 243K 184.108.40.206/10 4683 249K 220.127.116.11 4194 252K
On the kernel blocks front, things are significantly more active than they were last week, although our leader keeps slowly declining.
- 18.104.22.168, 22.214.171.124, and 126.96.36.199 all return from last week, and for the same reasons (although looking back, I got a bit of my identification of 188.8.131.52 wrong; 212/8 is a RIPE netblock, not an APNIC one).
- 184.108.40.206 is affiliatecrew.com, which kept trying to hammer on us with mail that had already hit our spamtraps. Given their domain name, I am pretty sure that I don't want to talk to them anyways.
- 220.127.116.11 is an Italian IP address with no reverse DNS.
- 18.104.22.168 was blocked for blasting our postmaster alias with backscatter from viruses.
- 22.214.171.124 is a centrum.cz mail machine; we've gotten too much advance fee fraud spam from them to accept any more.
- 126.96.36.199 tried to keep sending us stuff that had already hit our spamtraps.
- 188.8.131.52 is a wanadoo.co.uk mail machine (and we've seen it before, most recently at the start of October); at the time that we blocked it, it was in SPEWS (and we're not interested in talking to Wanadoo properties anyways).
It's also rare for the top-10 kernel blocks to be so dominated by single IP addresses; even last week had three netblocks. This week we're down to just a Chinese /10, and it's only in ninth place.
Connection time rejection stats:
34922 total 17172 dynamic IP 14149 bad or no reverse DNS 2316 class bl-cbl 298 class bl-dsbl 256 class bl-sdul 211 class bl-njabl 56 class bl-spews 44 class bl-ordb 41 class bl-sbl 19 cuttingedgemedia.com
Three out of the top 30 most rejected IP addresses were rejected
100 times or more; 184.108.40.206 (188 times), 220.127.116.11 (167
times), and 18.104.22.168 (105 times), all of which are APNIC addresses
refused for having bad or missing reverse DNS. 19 of the 30 most
rejected IP addresses are currently in the CBL and 9 are currently in
This week's Hotmail numbers:
- 1 message accepted; it was legitimate email.
- 1 message rejected because it came from a non-Hotmail email address (it was a msn.com address).
- 26 messages sent to our spamtraps.
- 1 message refused because its sender addresses had already hit our spamtraps.
- 1 message refused due to its origin IP address being a SAIX one.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
With the numbers that big, I was expecting to find a single point
source of bad
HELOs; unfortunately there isn't one. The leader is
22.214.171.124 (213 times), but then there is 126.96.36.199 (96 times),
188.8.131.52 (78 times), 184.108.40.206 (72 times), and so on.
The most eye-opening bad bounce source was securityfocus.com, at
22 attempts to check a '
IEFPLMD'. I suspect that this is sender
verification instead of actual bounces. However, this was not the most
popular bounce destination; that goes to '
milw' (22 times). To my
3E4B reappeared (although there is still no sign of the
38 character hex strings). Otherwise, the bounces went to the usual
suspects, primarily Slavic female names.