Weekly spam summary on January 27th, 2007

January 28, 2007

This week, we:

  • got 14,755 messages from 268 different IP addresses.
  • handled 23,910 sessions from 1,483 different IP addresses.
  • received 248,718 connections from at least 75,622 different IP addresses.
  • hit a highwater of 37 connections being checked at once.

Volume seems noticeably up compared to last week. The apparent jump in the number of different IP addresses trying to talk to us concerns me, since it is probably yet another indication of the growing zombie armies.

Day Connections different IPs
Sunday 35,443 +12,619
Monday 36,954 +12,391
Tuesday 31,523 +8,475
Wednesday 42,126 +13,711
Thursday 39,633 +11,063
Friday 36,720 +9,858
Saturday 26,319 +7,505

About all I can say about this table is that I can remember when 20,000 connections a day was the ordinary baseline. Hopefully it'll go back there someday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
193.70.192.0/24       15081    680K
213.4.149.12          13873    712K
213.29.7.0/24         12301    734K
221.186.214.155        8435    505K
66.46.180.235          6534    392K
60.231.152.85          5745    292K
81.115.40.8            5059    270K
72.1.187.162           4544    212K
64.40.176.61           4412    212K
66.15.119.165          3188    149K

I'd call this about the same as last week.

  • 213.4.149.12 and 66.46.180.235 return from last week.
  • 221.186.214.155 is a Japanese IP address without valid reverse DNS.
  • 60.231.152.85 is a bigpond.net.au cablemodem that has appeared here before.
  • 81.115.40.8 is a telecomitalia.it machine reappearing from December.
  • 72.1.187.162 and 64.40.176.61 were blocked for repeated bad HELOs.
  • 66.15.119.165 is in the SORBS DUL.

In general, a broad variety of the usual suspects.

Connection time rejection stats:

  63406 total
  40314 dynamic IP
  15167 bad or no reverse DNS
   4941 class bl-cbl
   1475 class bl-sbl
    281 class bl-dsbl
    210 class bl-njabl
    124 class bl-pbl
    106 class bl-sdul

This is up significantly this week compared to last week, and the CBL and the SBL appear to have caught on fire. Such a huge SBL presence deserves a breakdown:

1291 SBL50451 69.42.169.0/24, listed as a spam source and spam website hoster (25-Jan-2007)
137 SBL43664 63.139.56.0/23, aka 'GO TECH HOSTING', listed as a spam source and more (18-Oct-2006)
16 SBL50430 plus SBL50333 wanadoo.co.uk's main mail machines, listed for advance fee fraud (24-Jan-2007)
10 SBL50325 sify.net webmail, listed for advance fee fraud (22-Jan-2007)
10 SBL50181 advance fee fraud spam source (18-Jan-2007, but active since November, and tried to hit us last week too)
10 SBL50211 65.99.209.155, also a carryover from last week, but now apparently removed from the SBL.

SBL50451 managed to connect to us a few times before it got SBL listed, but it looks like it didn't manage to deliver anything because the messages it was trying to send had URLs that tripped some of our other spam filtering.

Only two of the top 30 most rejected IP addresses were rejected 100 times or more this week, but the leader is a real champion; 83.196.30.53 was rejected 2,546 times due to it being a wanadoo.fr dialup, and 189.139.79.21 was rejected 100 times due to being a Mexican IP address without working reverse DNS (it's also on the CBL et al). In other news, 14 of the top 30 are currently in the CBL, 9 are currently listed in bl.spamcop.net, and two are in the SBL.

The SBL-listed two are 209.205.237.36, part of SBL41018, a /20 Pacnet escalation listing from 24-Dec for spammer hosting that we saw before in December, and 66.236.249.115, SBL37424, a /26 ROKSO listing from 19-Oct for Richard Simnett aka S-Infotech and Direct Media Network. As usual, neither were actually rejected for being SBL-listed; the Pacnet IP was blocked for bad reverse DNS, and the Simnett IP was blocked because we have that /24 blocked as an old spam source.

This week Hotmail brought us:

  • 2 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 29 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 1 message refused due to its origin IP address being from saix.net of South Africa.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1171 134 1578 101
Bad bounces 229 130 455 345

This is an improvement from last week, but not a great one. There's no clear winner of the bad HELO sweepstakes, just a bunch of people with middle double-digit rejection counts.

The clear champion of bad bounces is 193.138.163.135, with 64, all to the username 'erqxsdtlqele'. In terms of general sources, Germany and Italy fought it out this week, with contributions from Russia and various other places around the world. Random alphabetic jumble usernames continued their overall domination of the bad bounce targets, but this week saw some ones with leading numbers show up, along with a number of more plausible usernames. Bad bounces were sent to only 148 different bad usernames this week.

Written on 28 January 2007.
« Why I think that DNS whitelists are going to fail
Why DWiki doesn't use fully REST-ful URLs »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Jan 28 01:23:22 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.