Weekly spam summary on February 24th, 2007
This week, we:
- got 15,188 messages from 253 different IP addresses.
- handled 21,573 sessions from 1,281 different IP addresses.
- received 238,853 connections from at least 71,848 different IP addresses.
- hit a highwater of 10 connections being checked at once.
Connection and session volume is down a bit from last week. Day to day volume fluctuated up and down through the week:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168/24 27609 1252K 22.214.171.124 25029 1272K 126.96.36.199 15375 843K 188.8.131.52/24 8533 512K 184.108.40.206/14 7240 386K 220.127.116.11 6865 319K 18.104.22.168 6836 301K 22.214.171.124 6800 336K 126.96.36.199 5045 242K 188.8.131.52 4987 246K
This is up substantially from last week. The big news this week is that I blocked 184.108.40.206/24 very early on in the week; this is Bellsouth's outgoing mail servers. We no longer accept email from Bellsouth because they have gotten into the free webmail business, and as a result are now active participants in the advance fee fraud spam business. (Many US ISPs have apparently gone this direction, for reasons I don't understand.)
- 220.127.116.11, 18.104.22.168, 22.214.171.124, and 126.96.36.199 all kept trying to send email with an origin address that had already tripped our spamtraps, mostly for what looks like phish spam (certain sorts of origin addresses are dead giveaways).
- 188.8.131.52 is in the CBL.
- 184.108.40.206 kept trying with a bad
- 220.127.116.11 is in the NJABL.
All that makes this a highly atypical week; for example, we don't have a single top-10 IP address that we've seen before. In the good news front, 18.104.22.168/27 continued not sending us so much as a single connection attempt over the week, and have thus dropped off my radar for future reports.
Connection time rejection stats:
69674 total 43536 dynamic IP 17981 bad or no reverse DNS 6394 class bl-cbl 295 class bl-njabl 250 class bl-sdul 220 class bl-pbl 159 acceleratebiz.com 147 class bl-sbl 144 class bl-dsbl 33 inetekk.com 15 cuttingedgemedia.com
Overall volume is about the same as last week. The SBL breakdown is slightly interesting:
|59||SBL51080||phish spam source|
|17||SBL49074||hijacked server that's spamming (13 Dec 2006)|
|11||SBL49046||advance fee fraud spam source (13 Dec 2006)|
|10||SBL50375||a /25 ROKSO listing for Eric Reinertsen (29 Jan 2007)|
|10||SBL49248||saigonnet.vn webmail, listed as an advance fee fraud spam source (18 Dec 2006)|
Three of the top 30 most rejected IP addresses were rejected 100
times or more this week: 22.214.171.124 (216 times, bad reverse DNS),
126.96.36.199 (168 times, dynamic IP), and 188.8.131.52 (153
times, on the NJABL). Eight of the top 30 are currently in the
CBL, eight are currently in
bl.spamcop.net, 10 are in the PBL, a grand total of 17 are in the combined
zen.spamhaus.org zone, and one is in
the SBL: 184.108.40.206, SBL51080.
This week Hotmail managed:
- 4 messages accepted, two of them probably legitimate.
- no messages rejected because they came from non-Hotmail email addresses.
- 57 messages sent to our spamtraps.
- 10 messages refused because their sender addresses had already hit our spamtraps.
- 5 messages refused due to their origin IP address (3 from the Cote d'Ivoire, one from Nigeria, and one in the CBL).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The winner of the bad
HELO contest this week was 220.127.116.11,
with 125 rejections until it got blocked; the next highest source
only managed 61. It's sad to see the bad bounce numbers start rising
again, but they're still low, and this week they seem to have come
from all over, including a darpa.mil machine and something in the
Arab Emirates that has been forging its
HELO name and so won't be
talking to us any more.
Bad bounces were sent to 13 different usernames this week, mostly to
real ex-users and plausible usernames. There was one alphabetical
3E4B also put in appearances. The most popular
bad bounce targets (admittedly at 3 and 2 hits respectively) were both