Weekly spam summary on November 25th, 2006
This week, we:
- got 13,435 messages from 269 different IP addresses.
- handled 21,900 sessions from 1,620 different IP addresses.
- received 197,361 connections from at least 50,069 different IP addresses.
- hit a highwater of 8 connections being checked at once.
This shows no signs of any lingering surge from last week's huge wave; the fluctuations are pretty typical.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206/24 21761 1306K 220.127.116.11 13648 819K 18.104.22.168 9110 474K 22.214.171.124 7501 450K 126.96.36.199 6627 398K 188.8.131.52 6601 396K 184.108.40.206 6484 303K 220.127.116.11 6235 374K 18.104.22.168 5667 272K 22.214.171.124 5393 324K
This is a rather different week:
- 126.96.36.199/24 is where centrum.cz's outgoing mail servers live. We've received too much advance fee fraud spam from them to be interested in talking to them, and I've moved up to blocking their /24 rather than play whack-a-mole with individual active IPs there.
- 188.8.131.52 is 'potter.aper.net' and kept trying to send us stuff with an origin address that had already tripped our spamtraps.
- 184.108.40.206 is terra.es, returning from last week and many, many times before.
- all of 220.127.116.11/27 is that rarity, an active SBL listed spammer; they are SBL48200, aka 'totallyfreeld.net', aka 'The Client Store'. They get upstream connectivity and their IP address space from 'Swift Ventures Inc', aka swiftco.net, which currently has a number of SBL listings, one for a ROKSO spammer dating back to June 3rd.
- 18.104.22.168 kept trying with a bad
- 22.214.171.124 also reappears from last week; it is a PacBell DSL line.
If all of SBL48200 was counted together, it would be the leader at 58061 packets or so. (We blocked them one by one this week, so that's how they get counted up here.)
This is clearly up from last week, with multiple highly active would-be senders, some of them repeats (especially the terra.es machine, which just keeps trying like a certain commercialized rabbit).
Connection time rejection stats:
42352 total 24394 dynamic IP 13850 bad or no reverse DNS 2504 class bl-cbl 332 class bl-dsbl 228 class bl-sdul 156 class bl-sbl 99 class bl-njabl 62 class bl-spews 37 class bl-ordb 22 cuttingedgemedia.com
Evidently we caught SBL48200 early enough that they didn't make a big dent in the SBL numbers.
Four of the top 30 most rejected IP addresses were rejected 100 times
or more; the leader is our friend 126.96.36.199 (at 452 times, which
right away means that it has some problems), followed by an internal
IP address, 188.8.131.52 (177 times) and 184.108.40.206 (110 times).
19 of the top 30 are currently in the CBL, and 3 are currently in
This week's Hotmail numbers:
- 4 messages accepted; at least two of them were spam.
- no messages rejected because they came from non-Hotmail email addresses.
- 31 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (two from Nigeria, one for being in the SBL (and also located in Nigeria, apparently)).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Despite the change in accounting from last week, the bad bounce stats haven't particularly jumped; I guess that most places already weren't trying to send us multiple bad bounces in one SMTP transaction.
This week's champion bad bounce target was 'kiseleeva_margarita',
at 24 tries. My friend
3E4B made a return, and first_last stuff
seems to be up from last week. The top two sources of bad bounces
are it.valmi.com.ua (220.127.116.11) and verify-sender.lucky.net
(18.104.22.168), along with a pile of similarly located servers,
so it seems that we're a popular forgery target with spammers targeting