Weekly spam summary on January 20th, 2007
Our SMTP frontend crashed a lot this week, so the connection volume number is a lot more approximated than usual. Having said that, this week we:
- got 14,060 messages from 292 different IP addresses.
- handled 21,260 sessions from 1,496 different IP addresses.
- received over 183,239 connections; I'm not going to try to guess at the minimum number of different IP addresses.
- probably hit a highwater of 6 connections being checked at once.
It seems likely that volume was around that of last week or maybe a bit lower, but it's very hard to tell.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206 21316 1101K 220.127.116.11/24 18080 1081K 18.104.22.168/24 12078 544K 22.214.171.124 4945 231K 126.96.36.199 4683 225K 188.8.131.52 4208 202K 184.108.40.206 4149 248K 220.127.116.11 4058 195K 18.104.22.168 3513 169K 22.214.171.124 3360 161K
- 126.96.36.199 returns from last week and many previous appearances.
- 188.8.131.52 was on the NJABL when we blocked it, but no longer is.
- 184.108.40.206 is a Pacbell DSL line in the SORBS DUL list.
- 220.127.116.11 and 18.104.22.168 kept trying bad
- 22.214.171.124 kept trying to send us stuff that had already tripped our spamtraps.
- 126.96.36.199 and 188.8.131.52 are both things that we consider dialups.
The overall volume is clearly up from last week, although only one IP address is one that's made the lists before. (And that one is terra.es's mail server, which we haven't wanted to talk to for ages.)
Connection time rejection stats:
48728 total 32588 dynamic IP 12796 bad or no reverse DNS 2058 class bl-cbl 206 class bl-sdul 143 class bl-dsbl 98 class bl-pbl 58 class bl-njabl 50 class bl-sbl
As you can see, we've added the Spamhaus PBL to our list of blocklists. It hasn't hit much because it comes after the CBL and our extensive hand-maintained list of dialups and other dynamic IPs.
Only one out of the top 30 most rejected IPs was rejected 100 times or
more this week; 184.108.40.206, a wanadoo.fr dialup, was rejected 422
times. 13 of the top 30 are currently in the CBL, and 5 are currently in
Half of our SBL rejections came from 220.127.116.11 (25 rejections, SBL50181), a compromised web server being abused to send advance fee fraud spam for some time. After that is 18.104.22.168 (7 rejections, SBL50211), labeled as an opt-out spammer, and 22.214.171.124 (4 rejections, SBL49046), more advance fee fraud spamming.
This week Hotmail brought us:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 30 messages sent to our spamtraps.
- no messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one from saix.net, one from Burkina Faso).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I can't say that this looks good compared to last week. There is
a clear winner of the bad
HELO sweepstakes; 126.96.36.199 tried 494
times. Fortunately, that's the only really active bad
and everyone else was down in what I consider acceptable territory
with only double-digit rejections.
Germany remained a major source of our bad rejections, sprinkled with
Italy, Japan, Australia, and other places around the globe. '
was the most popular single username to try to send bounces to, but the
most popular thing in general was random alphabetical usernames like
'shxonbnjy'. Bad bounces were sent to 425 different bad usernames this