Weekly spam summary on December 16th, 2006

December 17, 2006

This week, we:

  • got 16,689 messages from 271 different IP addresses.
  • handled 21,893 sessions from 1,229 different IP addresses.
  • received 207,766 connections from at least 62,254 different IP addresses.
  • hit a highwater of 8 connections being checked at once.

This is about the same volume as last week, although the number of different IP addresses connecting to us is unusually large.

Day Connections different IPs
Sunday 36,194 +11,759
Monday 31,707 +9,762
Tuesday 39,486 +11,117
Wednesday 30,112 +9,187
Thursday 25,760 +7,261
Friday 26,366 +6,996
Saturday 18,141 +6,172

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes      29607   1776K         16473    988K           8042    418K          6112    311K           5894    283K         4744    285K         4657    279K        3907    234K           2696    129K         2566    123K
  • is totallyfreeld.net, aka SBL48200, still not terminated by their upstream and still active, returning from two weeks ago.
  • is the centrum.cz mail servers, returning from last week and still justifying their permanent block.
  • and return from last week.
  • is a bigpond.net.au cablemodem, and returns from October.
  • and tried to send a lot of bad HELOs.
  • and tried to keep sending us stuff from origin addresses that had already tripped our spamtraps.
  • is in the CBL.

Overall, this week is quieter than last week.

Connection time rejection stats:

  48974 total
  30101 dynamic IP
  13820 bad or no reverse DNS
   3483 class bl-cbl
    271 class bl-sdul
    195 class bl-dsbl
    147 class bl-njabl
     82 class bl-spews
     74 cuttingedgemedia.com
     30 class bl-sbl
     23 class bl-ordb

There was only one IP address out of the top 30 most rejected IP addresses that was rejected 100 times or more, but that was our old friend (631 times). Twelve of the top 30 are current in the CBL, eight are currently in bl.spamcop.net, and one is in the SBL:, apparently an ADSL line in Dakar, is in SBL21134 and SBL43951. You win no prizes for guessing that both listings are for being an advance fee fraud spam source.

(Ironically it accounted for none of the SBL hits this week, because it was blocked for having no reverse DNS, and that's checked before the SBL. The lead SBL hit source is at 13 times, in SBL45324 as part of a ROKSO listing for 'Brian Kramer' aka 'Expedite Media Group'.)

This week, Hotmail had:

  • 3 messages accepted; I suspect that at least two of them were spam.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 25 messages sent to our spamtraps.
  • 4 messages refused because their sender addresses had already hit our spamtraps.
  • 3 messages refused due to their origin IP address being in the CBL.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1017 109 785 146
Bad bounces 80 64 109 95

This week there are no bad bounces to 'first_lastname' login names. They've been entirely supplanted by a random parade of alphabetical jumbles, the most popular of which was 'sxdijkhocqn' (5 times), leaved with a few things that are somewhat more plausible usernames, and a couple of old login names that no longer exist.

Written on 17 December 2006.
« An unsurprising discovery about spammer behavior
How to get me to block your web ads in a flash »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Dec 17 04:01:35 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.