Weekly spam summary on February 17th, 2007

February 18, 2007

This week, we:

  • got 15,925 messages from 244 different IP addresses.
  • handled 23,465 sessions from 1,341 different IP addresses.
  • received 244,268 connections from at least 75,016 different IP addresses.
  • hit a highwater of 16 connections being checked at once.

This is about the same as last week. The per day figures show some significant fluctuations:

Day Connections different IPs
Sunday 36,660 +13,133
Monday 37,139 +12,216
Tuesday 43,156 +12,833
Wednesday 36,296 +11,682
Thursday 31,349 +8,987
Friday 32,322 +8,878
Saturday 27,346 +7,287

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes         14878    892K         14215    682K         12430    682K           9316    484K         6508    312K            4907    235K          4413    212K          4186    196K        3695    177K          3136    150K

This is definitely down from last week, which is welcome, and for the first time in a while (terra.es) is not at the top of the list.

  •,,, and all return from last week.
  • kept trying to send us spam that had already tripped our spamtraps.
  • is a charter.com DHCP machine of some sort.
  • kept trying with a bad HELO.
  • kept trying to send what looks like phish spam with MAIL FROMs that had already hit our spamtraps.
  • is in the SORBS DUL.

To my surprise, totally disappeared; in contrast to their performance last week, this week we saw not so much as one packet from them. I would like to think that this is because they got disconnected, but I'm not that optimistic.

Connection time rejection stats:

  71169 total
  44825 dynamic IP
  17384 bad or no reverse DNS
   6398 class bl-cbl
   1004 class bl-sbl
    203 class bl-pbl
    201 class bl-njabl
    183 class bl-sdul
    177 class bl-dsbl
     81 cuttingedgemedia.com

Almost all of the SBL hits came from (914 hits), listed as SBL50892 (spam source and landing pages, listed February 6th) and SBL50451 (colocentral.com spammer hosting, an escalation listing, also listed February 6th). They've showed up before, back in late January, where they were even more active.

(The next highest SBL listing only has 17 rejections; it is SBL49046, a free webmail place listed for (what else) advance fee fraud spamming. After that is SBL50375 (13 rejections, a Rokso-listed place), and SBL50928 (12 rejections, a hijacked server).)

Two out of the top 30 most rejected IP addresses were rejected 100 times or more this week; (631 times) and (109 times). Only 7 out of the top 30 most rejected IP addresses are currently in the CBL, none are currently in bl.spamcop.net, and 12 are in the Spamhaus PBL. One is currently in the SBL: (50 rejections) is in SBL48034, a /21 listing of 'Suavemente LLC', listed February 5th.

This week's Hotmail score is:

  • 1 message accepted, almost certainly a legitimate one.
  • 3 messages rejected because they came from non-Hotmail email addresses, all from 'service_banc@msn.com'.
  • 34 messages sent to our spamtraps.
  • 1 message refused because its sender address had already hit our spamtraps.
  • 1 message refused due to its origin IP address being from SAIX aka telkom.co.za.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 979 155 995 154
Bad bounces 9 8 12 8

I am amazed; apparently last week's low bad bounces was not just a one-time anomaly. Bad bounces were sent to only 7 different usernames this week, and interestingly all seven of them are accounts that used to exist here. Three bounces went to a relatively current domain name, two bounces went to a somewhat out of date domain name, and four went to an outdated hostname that is a strong spam and spam bounce signature these days.

Written on 18 February 2007.
« Programming fun
Why we do NFS fileserving with a SAN »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Feb 18 01:38:56 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.