Weekly spam summary on February 17th, 2007
This week, we:
- got 15,925 messages from 244 different IP addresses.
- handled 23,465 sessions from 1,341 different IP addresses.
- received 244,268 connections from at least 75,016 different IP addresses.
- hit a highwater of 16 connections being checked at once.
This is about the same as last week. The per day figures show some significant fluctuations:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11/24 14878 892K 18.104.22.168 14215 682K 22.214.171.124 12430 682K 126.96.36.199 9316 484K 188.8.131.52 6508 312K 184.108.40.206 4907 235K 220.127.116.11 4413 212K 18.104.22.168 4186 196K 22.214.171.124 3695 177K 126.96.36.199 3136 150K
This is definitely down from last week, which is welcome, and for the first time in a while 188.8.131.52 (terra.es) is not at the top of the list.
- 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124 all return from last week.
- 126.96.36.199 kept trying to send us spam that had already tripped our spamtraps.
- 188.8.131.52 is a charter.com DHCP machine of some sort.
- 184.108.40.206 kept trying with a bad
- 220.127.116.11 kept trying to send what looks like phish spam with
MAIL FROMs that had already hit our spamtraps.
- 18.104.22.168 is in the SORBS DUL.
To my surprise, 22.214.171.124/27 totally disappeared; in contrast to their performance last week, this week we saw not so much as one packet from them. I would like to think that this is because they got disconnected, but I'm not that optimistic.
Connection time rejection stats:
71169 total 44825 dynamic IP 17384 bad or no reverse DNS 6398 class bl-cbl 1004 class bl-sbl 203 class bl-pbl 201 class bl-njabl 183 class bl-sdul 177 class bl-dsbl 81 cuttingedgemedia.com
Almost all of the SBL hits came from 126.96.36.199/24 (914 hits), listed as SBL50892 (spam source and landing pages, listed February 6th) and SBL50451 (colocentral.com spammer hosting, an escalation listing, also listed February 6th). They've showed up before, back in late January, where they were even more active.
(The next highest SBL listing only has 17 rejections; it is SBL49046, a free webmail place listed for (what else) advance fee fraud spamming. After that is SBL50375 (13 rejections, a Rokso-listed place), and SBL50928 (12 rejections, a hijacked server).)
Two out of the top 30 most rejected IP addresses were rejected 100
times or more this week; 188.8.131.52 (631 times) and 184.108.40.206
(109 times). Only 7 out of the top 30 most rejected IP addresses are
currently in the CBL, none are currently in
bl.spamcop.net, and 12
are in the Spamhaus PBL. One
is currently in the SBL: 220.127.116.11 (50 rejections) is in SBL48034, a /21 listing of
'Suavemente LLC', listed February 5th.
This week's Hotmail score is:
- 1 message accepted, almost certainly a legitimate one.
- 3 messages rejected because they came from non-Hotmail email
addresses, all from '
- 34 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- 1 message refused due to its origin IP address being from SAIX aka telkom.co.za.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
I am amazed; apparently last week's low bad bounces was not just a one-time anomaly. Bad bounces were sent to only 7 different usernames this week, and interestingly all seven of them are accounts that used to exist here. Three bounces went to a relatively current domain name, two bounces went to a somewhat out of date domain name, and four went to an outdated hostname that is a strong spam and spam bounce signature these days.