Weekly spam summary on February 10th, 2007

February 10, 2007

This week, we:

  • got 15,405 messages from 262 different IP addresses.
  • handled 23,822 sessions from 1,467 different IP addresses.
  • received 258,033 connections from at least 76,977 different IP addresses.
  • hit a highwater of 7 connections being checked at once.

The overall volume is about the same as last week; technically it's up a bit, but I figure it's within the normal fluctuation levels by now.

Day Connections different IPs
Sunday 37,528 +13,308
Monday 44,276 +12,563
Tuesday 40,718 +10,913
Wednesday 30,813 +9,073
Thursday 38,067 +11,262
Friday 36,639 +10,185
Saturday 29,992 +9,673

It's interesting that the connection count doesn't seem to completely tied to the number of new IP addresses; the highs and lows don't match up, although there's a general correlation.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes      44955   2696K         29284   1756K          18732    974K         12807    615K        8622    389K          6667    312K         6370    298K         5001    240K         4846    232K            4681    219K

Yow. Things are significantly up over last week, and we have a serious winner.

  • is totallyfreeld.net. They used to be SBL-listed, but for some reason they got taken out, and apparently they wasted no time in opening up the floodgates.

  • (terra.es), (PacBell DSL), (on the SORBS DUL), and (bad HELOs) all return from last week.
  • tried too many bad HELOs.
  • is a Bellsouth ADSL IP that we consider dynamic.
  • also had too many bad HELOs and returns from early January.

It's been quite a while since we had so many returning IPs, but the real standout is clearly by a mile, beating even centrum.cz's (itself well up over last week). Given that they somehow got out of the SBL, I am now very glad that I put in our own kernel-level blocks (and I have now made sure that they are listed in pretty much every level of block that we have, just in case).

Connection time rejection stats:

  73757 total
  45224 dynamic IP
  21356 bad or no reverse DNS
   5533 class bl-cbl
    221 class bl-sdul
    211 class bl-dsbl
    207 class bl-pbl
    101 class bl-njabl
     95 class bl-sbl

Things are distinctly up compared to last week, despite the not markedly higher overall connection count. As usual, everything except the CBL is relatively useless, although I suspect that the PBL and the SORBS DUL would jump significantly if we didn't already have our own blocks for those.

The two leading SBL listings were SBL50738, an advance fee fraud spam listing from this month (12 rejections) and SBL50181, a compromised Brazilian web server abused by advance fee fraud spammers since November (10 rejections, and we've seen it before).

Three of the top 30 most rejected IP addresses were rejected 100 times or more this week: (259 times, bad DNS), (143 times, dynamic IP), and (127 times, 'dynamic' IP). 16 of the top 30 are currently in the CBL and 18 are currently in bl.spamcop.net.

This week Hotmail managed:

  • no messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 48 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 6 messages refused due to their origin IP address (3 from the Cote d'Ivoire, two from Gilat Satcom, and one in SBL50431).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 995 154 982 113
Bad bounces 12 8 105 88

Apparently some sort of miracle happened this week and the spammers all stopped forging us. Alternately, my software is broken.

Bad bounces were sent to only 11 different bad usernames this week; 'E7D6' got two hits and everyone else got one. Bounces went to three hex bad usernames (E7D6, E07, and 3E4B), four actual ex-users, two things that could be valid usernames, and two random alphabetical jumbles. Bounces came from machines in Germany and Russia, among other places.

Colour me pleasantly happy and certainly hoping that this keeps up. But I'm not going to hold my breath.

Written on 10 February 2007.
« A temptation with challenge/response anti-spam systems
How to do locking in shell scripts »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Feb 10 23:54:39 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.