Weekly spam summary on December 30th, 2006

December 30, 2006

The SMTP frontend died twice late Friday night, to my irritation. That said, this week we:

  • got 9,806 messages from 186 different IP addresses.
  • handled 15,551 sessions from 916 different IP addresses.
  • received something over 204,995 connections from at least 58,611 different IP addresses.
  • hit a highwater of at least 6 connections being checked at once.

The message count is down dramatically from last week because this week is a vacation week for the university. The connection volume is not down at all because spammers don't really take vacations.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          10174    529K
71.16.74.210           7322    337K
193.252.22.158         6772    406K
213.29.7.0/24          5738    344K
210.92.140.22          4222    203K
217.12.180.25          3418    164K
196.25.78.162          2679    135K
213.4.149.66           2279    119K
212.43.241.13          2247    123K
203.97.33.64           2205    115K

This is somewhat quieter than last week, and centrum.cz's /24 continues to drop in the league tables.

  • 213.4.149.12, 193.252.22.158, and 212.43.241.13 return from last week.
  • 71.16.74.210 and 203.97.33.64 kept trying to send us stuff that had already tripped our spamtraps.
  • 210.92.140.22 and 196.25.78.162 had bad DNS.
  • 217.12.180.25 and 213.4.149.66 kept trying bad HELOs.

(The symmetry here is amusing but random.)

Connection time rejection stats:

  64823 total
  36173 dynamic IP
  22508 bad or no reverse DNS
   4600 class bl-cbl
    349 class bl-dsbl
    279 class bl-sdul
    202 'fairgamemail.us'
     83 class bl-njabl
     48 class bl-sbl
     38 class bl-spews
     36 cuttingedgemedia.com

Good old Cutting Edge Media. Too cutting edge to catch a clue, evidently. (Although it's more likely that they're merely uninterested in purging bouncing addresses from their mailing lists, because that would reduce their nominal value.)

What I have marked down in our records as 'fairgamemail.us' is 204.14.1.66 to 204.14.1.126, which is all part of SBL27197 (a /21 for '247 Surf Net' or cpchosting, listed since October 29th) and which, judging from the DNS names, may belong to something with the inviting name of 'optindirectmail'. (They've hit us in previous weeks; I don't always bother sorting through the explicitly blocked people to boil out a nice report.)

Only two out of the top 30 most rejected IP addresses were rejected 100 times or more this week; 124.240.124.166 (139 times) and 196.25.78.162 (121 times). 17 of the top 30 most rejected IP addresses are currently in the CBL, 5 are currently in bl.spamcop.net, and one of them is in the SBL; 209.205.236.225, which is part of SBL41018 and SBL49194 (the former is a /24 for a spammer, the latter is a /20 for pacnet.com.mx spammer hosting as an escalation listing, both dating from December 24th).

Pretty much as usual, 209.205.236.225 was not actually rejected for being on the SBL but for other stuff that we check first, in this case missing reverse DNS. Possibly I ought to promote the SBL and so on to somewhat earlier in the checking. The top actual SBL rejections were:

11 SBL38413 a /20 for ServerFlo, Inc (23 Nov 2006, although all our hits were in a /24 that is SBL37655, which was listed 12 Oct 2006)
10 SBL49248 Vietnamese webmail that is an advance fee fraud spam source (18 Dec 2006)
5 SBL49074 hijacked server sending spam (13 Dec 2006)

(Plus something that has since been removed from the SBL, so I'm not going to mention it.) |

This week, Hotmail managed:

  • 3 messages accepted, which I really suspect were all spam.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 12 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 1 message refused due to its origin IP address being in the CBL.

Okay, maybe Hotmail's advance fee fraud spammers take small vacations.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 594 87 1147 104
Bad bounces 72 60 117 98

There are no particularly outstanding sources of bad HELOs this week, nor any particularly clear locus of bad bounces the way there was last week. Random alphabetical usernames made up most of the bounce targets, with the leader being 'ijiefuurmcl' (five bounce attempts).

Written on 30 December 2006.
« What can go wrong if your compiler is not thread aware
A (Solaris 8) automounter irritation »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sat Dec 30 23:51:03 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.