Weekly spam summary on December 30th, 2006
The SMTP frontend died twice late Friday night, to my irritation. That said, this week we:
- got 9,806 messages from 186 different IP addresses.
- handled 15,551 sessions from 916 different IP addresses.
- received something over 204,995 connections from at least 58,611 different IP addresses.
- hit a highwater of at least 6 connections being checked at once.
The message count is down dramatically from last week because this week is a vacation week for the university. The connection volume is not down at all because spammers don't really take vacations.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52 10174 529K 184.108.40.206 7322 337K 220.127.116.11 6772 406K 18.104.22.168/24 5738 344K 22.214.171.124 4222 203K 126.96.36.199 3418 164K 188.8.131.52 2679 135K 184.108.40.206 2279 119K 220.127.116.11 2247 123K 18.104.22.168 2205 115K
This is somewhat quieter than last week, and centrum.cz's /24 continues to drop in the league tables.
- 22.214.171.124, 126.96.36.199, and 188.8.131.52 return from last week.
- 184.108.40.206 and 220.127.116.11 kept trying to send us stuff that had already tripped our spamtraps.
- 18.104.22.168 and 22.214.171.124 had bad DNS.
- 126.96.36.199 and 188.8.131.52 kept trying bad
(The symmetry here is amusing but random.)
Connection time rejection stats:
64823 total 36173 dynamic IP 22508 bad or no reverse DNS 4600 class bl-cbl 349 class bl-dsbl 279 class bl-sdul 202 'fairgamemail.us' 83 class bl-njabl 48 class bl-sbl 38 class bl-spews 36 cuttingedgemedia.com
Good old Cutting Edge Media. Too cutting edge to catch a clue, evidently. (Although it's more likely that they're merely uninterested in purging bouncing addresses from their mailing lists, because that would reduce their nominal value.)
What I have marked down in our records as 'fairgamemail.us' is 184.108.40.206 to 220.127.116.11, which is all part of SBL27197 (a /21 for '247 Surf Net' or cpchosting, listed since October 29th) and which, judging from the DNS names, may belong to something with the inviting name of 'optindirectmail'. (They've hit us in previous weeks; I don't always bother sorting through the explicitly blocked people to boil out a nice report.)
Only two out of the top 30 most rejected IP addresses were rejected
100 times or more this week; 18.104.22.168 (139 times) and
22.214.171.124 (121 times). 17 of the top 30 most rejected IP addresses
are currently in the CBL, 5 are currently in
bl.spamcop.net, and one
of them is in the SBL; 126.96.36.199, which is part of SBL41018 and SBL49194 (the former is a
/24 for a spammer, the latter is a /20 for pacnet.com.mx spammer hosting
as an escalation listing, both dating from December 24th).
Pretty much as usual, 188.8.131.52 was not actually rejected for being on the SBL but for other stuff that we check first, in this case missing reverse DNS. Possibly I ought to promote the SBL and so on to somewhat earlier in the checking. The top actual SBL rejections were:
|11||SBL38413||a /20 for ServerFlo, Inc (23 Nov 2006, although all our hits were in a /24 that is SBL37655, which was listed 12 Oct 2006)|
|10||SBL49248||Vietnamese webmail that is an advance fee fraud spam source (18 Dec 2006)|
|5||SBL49074||hijacked server sending spam (13 Dec 2006)|
(Plus something that has since been removed from the SBL, so I'm not going to mention it.) |
This week, Hotmail managed:
- 3 messages accepted, which I really suspect were all spam.
- no messages rejected because they came from non-Hotmail email addresses.
- 12 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 1 message refused due to its origin IP address being in the CBL.
Okay, maybe Hotmail's advance fee fraud spammers take small vacations.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
There are no particularly outstanding sources of bad
week, nor any particularly clear locus of bad bounces the way there
was last week. Random alphabetical usernames made up most of the bounce
targets, with the leader being 'ijiefuurmcl' (five bounce attempts).