Weekly spam summary on November 25th, 2006

November 26, 2006

This week, we:

  • got 13,435 messages from 269 different IP addresses.
  • handled 21,900 sessions from 1,620 different IP addresses.
  • received 197,361 connections from at least 50,069 different IP addresses.
  • hit a highwater of 8 connections being checked at once.

This is down from last week, although the connection numbers are still up a bit compared to two weeks ago.

Day Connections different IPs
Sunday 28,053 +6,271
Monday 35,445 +9,698
Tuesday 34,715 +8,208
Wednesday 28,591 +6,410
Thursday 25,680 +6,815
Friday 25,068 +6,826
Saturday 19,809 +5,841

This shows no signs of any lingering surge from last week's huge wave; the fluctuations are pretty typical.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.29.7.0/24         21761   1306K
207.235.5.169         13648    819K
213.4.149.12           9110    474K
208.99.198.92          7501    450K
208.99.198.71          6627    398K
208.99.198.93          6601    396K
64.65.197.93           6484    303K
208.99.198.94          6235    374K
64.166.14.222          5667    272K
208.99.198.66          5393    324K

This is a rather different week:

  • 213.29.7.0/24 is where centrum.cz's outgoing mail servers live. We've received too much advance fee fraud spam from them to be interested in talking to them, and I've moved up to blocking their /24 rather than play whack-a-mole with individual active IPs there.
  • 207.235.5.169 is 'potter.aper.net' and kept trying to send us stuff with an origin address that had already tripped our spamtraps.
  • 213.4.149.12 is terra.es, returning from last week and many, many times before.
  • all of 208.99.198.64/27 is that rarity, an active SBL listed spammer; they are SBL48200, aka 'totallyfreeld.net', aka 'The Client Store'. They get upstream connectivity and their IP address space from 'Swift Ventures Inc', aka swiftco.net, which currently has a number of SBL listings, one for a ROKSO spammer dating back to June 3rd.
  • 64.65.197.93 kept trying with a bad HELO name.
  • 64.166.14.222 also reappears from last week; it is a PacBell DSL line.

If all of SBL48200 was counted together, it would be the leader at 58061 packets or so. (We blocked them one by one this week, so that's how they get counted up here.)

This is clearly up from last week, with multiple highly active would-be senders, some of them repeats (especially the terra.es machine, which just keeps trying like a certain commercialized rabbit).

Connection time rejection stats:

  42352 total
  24394 dynamic IP
  13850 bad or no reverse DNS
   2504 class bl-cbl
    332 class bl-dsbl
    228 class bl-sdul
    156 class bl-sbl
     99 class bl-njabl
     62 class bl-spews
     37 class bl-ordb
     22 cuttingedgemedia.com

Evidently we caught SBL48200 early enough that they didn't make a big dent in the SBL numbers.

Four of the top 30 most rejected IP addresses were rejected 100 times or more; the leader is our friend 64.166.14.222 (at 452 times, which right away means that it has some problems), followed by an internal IP address, 211.52.83.131 (177 times) and 70.68.66.159 (110 times). 19 of the top 30 are currently in the CBL, and 3 are currently in bl.spamcop.net.

This week's Hotmail numbers:

  • 4 messages accepted; at least two of them were spam.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 31 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 3 messages refused due to their origin IP address (two from Nigeria, one for being in the SBL (and also located in Nigeria, apparently)).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 2148 161 2008 175
Bad bounces 412 319 470 374

Despite the change in accounting from last week, the bad bounce stats haven't particularly jumped; I guess that most places already weren't trying to send us multiple bad bounces in one SMTP transaction.

This week's champion bad bounce target was 'kiseleeva_margarita', at 24 tries. My friend 3E4B made a return, and first_last stuff seems to be up from last week. The top two sources of bad bounces are it.valmi.com.ua (217.25.199.249) and verify-sender.lucky.net (193.193.193.135), along with a pile of similarly located servers, so it seems that we're a popular forgery target with spammers targeting Eastern Europe.

Written on 26 November 2006.
« The quest for a nice Linux CD player application
Link: Serif vs. Sans Serif Legibility »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Nov 26 01:08:06 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.