Weekly spam summary on November 4th, 2006
This week, we:
- got 15,265 messages from 278 different IP addresses.
- handled 21,071 sessions from 1,538 different IP addresses.
- received 215,602 connections from at least 52,130 different IP addresses.
- hit a highwater of 12 connections being checked at once.
These statistics superficially look a lot like last week's, although up somewhat. What they hide is a significant spam storm that has actually been getting through our low-rent graylisting, more or less shown in the per day table:
Today especially our logs have been lighting up with this stuff. The
giveaway sign is dynamic machines
HELOing with their actual (dynamic)
name, not a forged
HELO greeting, and then trying to
various random places. So far most of them have been European IPs, with
some Asian and American ones to make life more exciting.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 26060 1355K 126.96.36.199 7864 472K 188.8.131.52 5190 311K 184.108.40.206 5015 301K 220.127.116.11 5014 231K 18.104.22.168 4794 244K 22.214.171.124 3942 237K 126.96.36.199/10 3930 199K 188.8.131.52/24 3917 194K 184.108.40.206 3890 233K
This is a bunch better than last week, with everyone except our usual prize winner coming in significantly lower. Also, almost all of the IPs are new ones.
- 220.127.116.11 and 18.104.22.168 reappear from last week.
- 22.214.171.124 is in SPEWS.
- 126.96.36.199 is a host4u.net machine, and we're not interested in talking to them.
- 188.8.131.52 kept trying to send us stuff that had tripped our spamtraps.
- 184.108.40.206 had a bad
- 220.127.116.11 is a bigpond.net.au cablemodem. Uh, no thanks.
- 18.104.22.168 is a centrum.cz mail machine (last spotted in February), although a neighboring machine made the list last week.
This is an interestingly broad assortment of reasons for getting blocked, much less monochromatic than usual.
Connection time rejection stats:
56316 total 29798 dynamic IP 21151 bad or no reverse DNS 3133 class bl-cbl 1055 class bl-sdul 261 class bl-dsbl 115 class bl-njabl 99 class bl-spews 48 class bl-ordb 37 cuttingedgemedia.com 27 class bl-sbl
And here we see the explosion: this is way up from last week, with major growth in several areas typical of exploited zombie machines.
Four of the top 30 most rejected IP addresses were rejected 100 times or more: 22.214.171.124 (376 times, all of them today), 126.96.36.199 (181 times), 188.8.131.52 (102 times), and 184.108.40.206 (100 times). Annoyingly, one of them is a Canadian (even a Toronto) IP address.
Nineteen of the top 30 most rejected IP addresses as currently in the
CBL, and 10 are currently in
This week's Hotmail grumps:
- 8 messages accepted; one that was good, 6 that were definitely spam, and one I'm not sure about.
- 1 message rejected because it came from a non-Hotmail email address.
- 38 messages sent to our spamtraps.
- 1 message refused because its sender addresses had already hit our spamtraps.
- 6 messages refused due to their origin IP address (3 for being in the CBL, one from SAIX, one from Burkina Faso, and one from the Cote d'Ivoire).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Things are better than last week, but not hugely. The most popular bad bounce target this week was 'wilhelmi' (21 hits), but in general the pattern continued from last week, and almost everything was hit only once. There seems to be a drift towards single-word usernames, away from the combination Slavic female names.