Weekly spam summary on October 28th, 2006

October 28, 2006

This week, we:

  • got 14,982 messages from 288 different IP addresses.
  • handled 21,920 sessions from 1,294 different IP addresses.
  • received 193,231 connections from at least 46,305 different IP addresses.
  • hit a highwater of 11 connections being checked at once.

This is pretty much the same as last week. On a global scale it is up from what I consider an acceptably quiet level, but looking back a year it seems to be about the same as this time last year.

(It's a peculiar feeling to be reminded that I've been doing these weekly spam summaries for well over a year now.)

Day Connections different IPs
Sunday 28,770 +7,102
Monday 28,790 +7,501
Tuesday 28,965 +7,305
Wednesday 26,112 +6,170
Thursday 30,102 +7,019
Friday 29,286 +6,201
Saturday 21,206 +5,007

The per day table is relatively straightforward, although there is a dip on Wednesday. As usual, I have no explanation for any of this.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          25115   1306K
128.121.122.36        24818   1224K
217.64.193.21         22088   1325K
65.164.104.5          11936    716K
72.244.103.210         7878    369K
213.29.7.133           6171    370K
195.128.174.109        5313    262K
212.184.12.130         5070    243K
61.128.0.0/10          4683    249K
193.252.22.158         4194    252K

On the kernel blocks front, things are significantly more active than they were last week, although our leader keeps slowly declining.

  • 213.4.149.12, 72.244.103.210, and 212.184.12.130 all return from last week, and for the same reasons (although looking back, I got a bit of my identification of 212.184.12.130 wrong; 212/8 is a RIPE netblock, not an APNIC one).
  • 128.121.122.36 is affiliatecrew.com, which kept trying to hammer on us with mail that had already hit our spamtraps. Given their domain name, I am pretty sure that I don't want to talk to them anyways.
  • 217.64.193.21 is an Italian IP address with no reverse DNS.
  • 65.164.104.5 was blocked for blasting our postmaster alias with backscatter from viruses.
  • 213.29.7.133 is a centrum.cz mail machine; we've gotten too much advance fee fraud spam from them to accept any more.
  • 195.128.174.109 tried to keep sending us stuff that had already hit our spamtraps.
  • 193.252.22.158 is a wanadoo.co.uk mail machine (and we've seen it before, most recently at the start of October); at the time that we blocked it, it was in SPEWS (and we're not interested in talking to Wanadoo properties anyways).

It's also rare for the top-10 kernel blocks to be so dominated by single IP addresses; even last week had three netblocks. This week we're down to just a Chinese /10, and it's only in ninth place.

Connection time rejection stats:

  34922 total
  17172 dynamic IP
  14149 bad or no reverse DNS
   2316 class bl-cbl
    298 class bl-dsbl
    256 class bl-sdul
    211 class bl-njabl
     56 class bl-spews
     44 class bl-ordb
     41 class bl-sbl
     19 cuttingedgemedia.com

Three out of the top 30 most rejected IP addresses were rejected 100 times or more; 203.177.186.10 (188 times), 61.53.153.69 (167 times), and 61.53.153.71 (105 times), all of which are APNIC addresses refused for having bad or missing reverse DNS. 19 of the 30 most rejected IP addresses are currently in the CBL and 9 are currently in bl.spamcop.net.

This week's Hotmail numbers:

  • 1 message accepted; it was legitimate email.
  • 1 message rejected because it came from a non-Hotmail email address (it was a msn.com address).
  • 26 messages sent to our spamtraps.
  • 1 message refused because its sender addresses had already hit our spamtraps.
  • 1 message refused due to its origin IP address being a SAIX one.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 2076 103 335 52
Bad bounces 377 276 255 169

With the numbers that big, I was expecting to find a single point source of bad HELOs; unfortunately there isn't one. The leader is 208.223.173.169 (213 times), but then there is 70.234.28.17 (96 times), 216.27.82.198 (78 times), 68.15.237.4 (72 times), and so on.

The most eye-opening bad bounce source was securityfocus.com, at 22 attempts to check a 'IEFPLMD'. I suspect that this is sender verification instead of actual bounces. However, this was not the most popular bounce destination; that goes to 'milw' (22 times). To my pleasure, 3E4B reappeared (although there is still no sign of the 38 character hex strings). Otherwise, the bounces went to the usual suspects, primarily Slavic female names.

Written on 28 October 2006.
« In (modest) praise of Solaris DiskSuite
Python's assert is a weak debugging tool »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sat Oct 28 23:48:31 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.