Weekly spam summary on February 3rd, 2007

February 3, 2007

This week, we:

  • got 15,790 messages from 280 different IP addresses.
  • handled 23,657 sessions from 1,340 different IP addresses.
  • received 248,408 connections from at least 73,118 different IP addresses.
  • hit a highwater of 17 connections being checked at once.

Volume is up again from last week, although the number of different IPs is down slightly.

Day Connections different IPs
Sunday 28,871 +11,587
Monday 30,772 +10,424
Tuesday 39,487 +10,941
Wednesday 38,430 +10,523
Thursday 36,188 +9,602
Friday 37,864 +10,746
Saturday 36,796 +9,295

This is somewhat more even than last week, but that's about all I can say for it.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes       18193    820K          17817    926K         17387   1043K          14077    653K         10431    501K          7058    423K           6715    322K         6082    292K          5391    259K          4741    222K

Things are definitely up compared to last week.

  • and return from last week.
  • kept attempting to send us stuff that had already tripped spamtraps.
  • returns from early January, still blocked for being a PacBell DSL line.
  • is a Sri Lankan IP address with no reverse DNS.
  • and both tried too often with bad HELOs.
  • is on the NJABL.

Connection time rejection stats:

  64250 total
  39581 dynamic IP
  17883 bad or no reverse DNS
   5133 class bl-cbl
    333 class bl-dsbl
    166 class bl-njabl
    139 class bl-pbl
    123 class bl-sbl
    116 class bl-sdul
     21 verticalresponse.com
     13 cuttingedgemedia.com

Four of the the top 30 most rejected IPs were rejected 100 times or more this week: (349 times), (199 times), (118 times), and (100 times). The first three were rejected as dynamic IPs, the fourth for having bad reverse DNS. Ten of the top 30 are currently in the CBL and a whopping 21 are currently listed in bl.spamcop.net.

This week's Hotmail scores are:

  • 5 messages accepted.
  • 1 message rejected because it came from a non-Hotmail email address.
  • 36 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 8 messages refused due to their origin IP address (3 in the SBL, 2 from the Cote d'Ivoire, 1 in the CBL, 1 from Nigeria, and one from SAIX).

Somehow, I don't think we're losing anything by not accepting an email message this week from one 'netaleloto_awrd_006@hotmail.it'.

The SBL listings are SBL50384, from January 2007, SBL46422, from September 2006, and SBL32972, from November 2005, when it was spamming through Hotmail. I have no words.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 982 113 1171 134
Bad bounces 105 88 229 130

Germany and Russia seem to be the leading sources of bad bounces this week, with the usual contributions from various other places. Unlike last week, there's no particularly big single source; like last week, the most common bad usernames continue to be alphabetical jumbles, with a certain amount of more plausible ones mixed in. Bad bounces were sent to 96 different bad usernames this week.

Written on 03 February 2007.
« A modern environment's need for broadband
A sysadmin twitch about dump »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Feb 3 23:44:45 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.