Weekly spam summary on February 24th, 2007

February 25, 2007

This week, we:

  • got 15,188 messages from 253 different IP addresses.
  • handled 21,573 sessions from 1,281 different IP addresses.
  • received 238,853 connections from at least 71,848 different IP addresses.
  • hit a highwater of 10 connections being checked at once.

Connection and session volume is down a bit from last week. Day to day volume fluctuated up and down through the week:

Day Connections different IPs
Sunday 29,706 +11,012
Monday 40,386 +12,084
Tuesday 41,718 +12,719
Wednesday 34,748 +10,352
Thursday 36,413 +9,568
Friday 32,318 +9,189
Saturday 23,564 +6,924

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes       27609   1252K       25029   1272K       15375    843K          8533    512K         7240    386K            6865    319K          6836    301K         6800    336K         5045    242K         4987    246K

This is up substantially from last week. The big news this week is that I blocked very early on in the week; this is Bellsouth's outgoing mail servers. We no longer accept email from Bellsouth because they have gotten into the free webmail business, and as a result are now active participants in the advance fee fraud spam business. (Many US ISPs have apparently gone this direction, for reasons I don't understand.)

  •,,, and all kept trying to send email with an origin address that had already tripped our spamtraps, mostly for what looks like phish spam (certain sorts of origin addresses are dead giveaways).
  • is in the CBL.
  • kept trying with a bad HELO.
  • is in the NJABL.

All that makes this a highly atypical week; for example, we don't have a single top-10 IP address that we've seen before. In the good news front, continued not sending us so much as a single connection attempt over the week, and have thus dropped off my radar for future reports.

Connection time rejection stats:

  69674 total
  43536 dynamic IP
  17981 bad or no reverse DNS
   6394 class bl-cbl
    295 class bl-njabl
    250 class bl-sdul
    220 class bl-pbl
    159 acceleratebiz.com
    147 class bl-sbl
    144 class bl-dsbl
     33 inetekk.com
     15 cuttingedgemedia.com

Overall volume is about the same as last week. The SBL breakdown is slightly interesting:

59 SBL51080 phish spam source
17 SBL49074 hijacked server that's spamming (13 Dec 2006)
11 SBL49046 advance fee fraud spam source (13 Dec 2006)
10 SBL50375 a /25 ROKSO listing for Eric Reinertsen (29 Jan 2007)
10 SBL49248 saigonnet.vn webmail, listed as an advance fee fraud spam source (18 Dec 2006)

Of these, SBL49046 and SBL50375 appeared in my summary last week, at about the same volume.

Three of the top 30 most rejected IP addresses were rejected 100 times or more this week: (216 times, bad reverse DNS), (168 times, dynamic IP), and (153 times, on the NJABL). Eight of the top 30 are currently in the CBL, eight are currently in bl.spamcop.net, 10 are in the PBL, a grand total of 17 are in the combined zen.spamhaus.org zone, and one is in the SBL:, SBL51080.

This week Hotmail managed:

  • 4 messages accepted, two of them probably legitimate.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 57 messages sent to our spamtraps.
  • 10 messages refused because their sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (3 from the Cote d'Ivoire, one from Nigeria, and one in the CBL).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 877 101 979 155
Bad bounces 16 12 9 8

The winner of the bad HELO contest this week was, with 125 rejections until it got blocked; the next highest source only managed 61. It's sad to see the bad bounce numbers start rising again, but they're still low, and this week they seem to have come from all over, including a darpa.mil machine and something in the Arab Emirates that has been forging its HELO name and so won't be talking to us any more.

Bad bounces were sent to 13 different usernames this week, mostly to real ex-users and plausible usernames. There was one alphabetical jumble, and E07 and 3E4B also put in appearances. The most popular bad bounce targets (admittedly at 3 and 2 hits respectively) were both ex-users.

Written on 25 February 2007.
« Thesis: any server push technology inevitably breeds spam
How CSLab currently does email anti-spam stuff »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Feb 25 01:11:28 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.