Weekly spam summary on February 10th, 2007
This week, we:
- got 15,405 messages from 262 different IP addresses.
- handled 23,822 sessions from 1,467 different IP addresses.
- received 258,033 connections from at least 76,977 different IP addresses.
- hit a highwater of 7 connections being checked at once.
The overall volume is about the same as last week; technically it's up a bit, but I figure it's within the normal fluctuation levels by now.
It's interesting that the connection count doesn't seem to completely tied to the number of new IP addresses; the highs and lows don't match up, although there's a general correlation.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199/27 44955 2696K 188.8.131.52/24 29284 1756K 184.108.40.206 18732 974K 220.127.116.11 12807 615K 18.104.22.168/24 8622 389K 22.214.171.124 6667 312K 126.96.36.199 6370 298K 188.8.131.52 5001 240K 184.108.40.206 4846 232K 220.127.116.11 4681 219K
Yow. Things are significantly up over last week, and we have a serious winner.
- 18.104.22.168/27 is totallyfreeld.net. They used to be SBL-listed,
but for some reason they got taken out, and apparently they wasted
no time in opening up the floodgates.
- 22.214.171.124 (terra.es), 126.96.36.199 (PacBell DSL), 188.8.131.52
(on the SORBS DUL), and 184.108.40.206 (bad
HELOs) all return from last week.
- 220.127.116.11 tried too many bad
- 18.104.22.168 is a Bellsouth ADSL IP that we consider dynamic.
- 22.214.171.124 also had too many bad
HELOs and returns from early January.
It's been quite a while since we had so many returning IPs, but the real standout is clearly 126.96.36.199/27 by a mile, beating even centrum.cz's 188.8.131.52/24 (itself well up over last week). Given that they somehow got out of the SBL, I am now very glad that I put in our own kernel-level blocks (and I have now made sure that they are listed in pretty much every level of block that we have, just in case).
Connection time rejection stats:
73757 total 45224 dynamic IP 21356 bad or no reverse DNS 5533 class bl-cbl 221 class bl-sdul 211 class bl-dsbl 207 class bl-pbl 101 class bl-njabl 95 class bl-sbl
Things are distinctly up compared to last week, despite the not markedly higher overall connection count. As usual, everything except the CBL is relatively useless, although I suspect that the PBL and the SORBS DUL would jump significantly if we didn't already have our own blocks for those.
The two leading SBL listings were SBL50738, an advance fee fraud spam listing from this month (12 rejections) and SBL50181, a compromised Brazilian web server abused by advance fee fraud spammers since November (10 rejections, and we've seen it before).
Three of the top 30 most rejected IP addresses were rejected 100 times
or more this week: 184.108.40.206 (259 times, bad DNS), 220.127.116.11 (143
times, dynamic IP), and 18.104.22.168 (127 times, 'dynamic' IP). 16 of
the top 30 are currently in the CBL and 18 are currently in
This week Hotmail managed:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 48 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 6 messages refused due to their origin IP address (3 from the Cote d'Ivoire, two from Gilat Satcom, and one in SBL50431).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Apparently some sort of miracle happened this week and the spammers all stopped forging us. Alternately, my software is broken.
Bad bounces were sent to only 11 different bad usernames this week;
E7D6' got two hits and everyone else got one. Bounces went to three
hex bad usernames (
3E4B), four actual ex-users,
two things that could be valid usernames, and two random alphabetical
jumbles. Bounces came from machines in Germany and Russia, among other
Colour me pleasantly happy and certainly hoping that this keeps up. But I'm not going to hold my breath.