Weekly spam summary on March 10th, 2007

March 11, 2007

This week, we:

  • got 14,862 messages from 263 different IP addresses.
  • handled 21,019 sessions from 1,246 different IP addresses.
  • received 197,155 connections from at least 66,752 different IP addresses.
  • hit a highwater of 11 connections being checked at once.

Volume is definitely down from last week, although the session volume is up slightly. The per day numbers have some significant fluctuations:

Day Connections different IPs
Sunday 32,593 +13,521
Monday 37,161 +12,938
Tuesday 27,967 +8,530
Wednesday 21,632 +7,902
Thursday 29,415 +9,045
Friday 28,617 +8,658
Saturday 19,770 +6,158

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
206.223.168.238       39471   2165K
213.29.7.0/24         24821   1488K
205.152.59.0/24       14936    677K
213.4.149.12          11163    581K
66.16.116.241          5392    259K
71.8.237.114           5374    273K
81.215.229.141         3248    156K
64.83.75.188           3207    154K
64.208.191.0/24        3121    187K
193.202.89.232         2898    155K

This is up from last week, although it's unevenly distributed; the low end is about the same, but the high end is much more active.

  • 206.223.168.238 and 213.4.149.12 return from last week.
  • 66.16.116.241 kept trying with a bad HELO.
  • 71.8.237.114 is a charter.com something or other.
  • 81.215.229.141 has inconsistent reverse DNS.
  • 64.83.75.188 is a place we no longer talk to because it sent us phish spam.
  • 193.202.89.232 kept trying with an origin address that had already tripped our spamtraps.

64.208.191.0/24 deserves special mention: various hosts in there slammed us as part of an aggressive spam run, and then once they had tripped our spamtraps they demonstrated that they were partially ignoring SMTP responses. This is a quick recipee for getting your own set of kernel packet filtering rules; if they come back this week, I'll probably make the block permanent.

Connection time rejection stats:

  62956 total
  37668 dynamic IP
  17559 bad or no reverse DNS
   5173 class bl-cbl
   1049 class bl-sbl
    353 acceleratebiz.com
    198 class bl-dsbl
    132 class bl-pbl
    121 cuttingedgemedia.com
    112 class bl-sdul
     78 class bl-njabl
     27 verticalresponse.com

Overall volume is slightly down from last week. The SBL breakdown is as uninteresting as last week; 962 hits from SBL50892 (colocentral.com, who apparently feel spammer hosting is fine with them), then the next highest is 18 hits from SBL43107 (listed February 16th as 'Gestour Portal spam source').

Four of the top 30 most rejected IP addresses were rejected 100 times or more: 81.51.111.171 (2,190 times, a wanadoo.fr dynamic IP address), 200.88.30.51 (114 times, no reverse DNS), 24.158.104.204 (106 times, a charter.com cablemodem or something), and 71.101.60.68 (106 times, a verizon.net DSL something or other). Fourteen of the top 30 are currently in the CBL, 11 are currently listed by bl.spamcop.net, 11 are in the Spamhaus PBL, and a grand total of 17 are in zen.spamhaus.org.

This week Hotmail managed:

  • 3 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 26 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 1 message refused due to its origin IP address being in the CBL.

This is a lot better than their numbers last week.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1041 96 953 95
Bad bounces 4 4 17 16

Now that's the sort of numbers on bad bounces that I like to see. There were no really big sources of bad HELOs this week; the highest were 64.3.170.46 (113 times), 69.15.31.193 (82 times), 64.122.66.34 (76 times), and 64.171.104.2 (75 times).

Bad bounces came from four different places to four different usernames; three of the bad usernames are ex-users, and one is a reasonably plausible username.

Written on 11 March 2007.
« What a sysadmin's machine should be able to do
I consider __dict__ an implementation detail »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Mar 11 00:10:01 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.