Weekly spam summary on March 31st, 2007

April 1, 2007

This week, we:

  • got 12,348 messages from 259 different IP addresses.
  • handled 17,799 sessions from 1,226 different IP addresses.
  • received 171,239 connections from at least 53,794 different IP addresses.
  • hit a highwater of 28 connections being checked at once.

Somewhat to my surprise, volume is down again from last week, although the concurrent connections highwater is up a lot.

Day Connections different IPs
Sunday 24,671 +9,666
Monday 28,038 +8,584
Tuesday 26,683 +8,159
Wednesday 22,651 +5,508
Thursday 30,976 +9,417
Friday 21,879 +6,873
Saturday 16,341 +5,587

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.241.0/24       21236   1031K cox.net
213.29.7.0/24         17748   1065K centrum.cz
205.152.59.0/24       15832    718K bellsouth.net
68.230.240.0/24       13549    658K cox.net
213.4.149.12          13506    702K
68.168.78.0/24         9359    449K adelphia.net
72.249.13.82           8992    494K
72.249.13.84           5195    286K
72.54.120.137          4553    219K
72.249.13.83           4264    235K

By contrast, our kernel packet filtering blocks are up significantly from last week, partly because I was aggressive about throwing blocked advance fee fraud webmail sources into the kernel filters early on. As a result of this, blocked webmail sources account for half the top ten, and all four of the top spots. (To save space, I've just annotated the main listing with who each /24 belongs to.)

  • 213.4.149.12 and 72.249.13.82 return from last week.
  • 72.249.13.84 and 72.249.13.83 kept trying to send us email from the user name do_not_reply at a domain with temporary DNS failures. For that extra encouragement to accept their email, the machines HELO'd as otcpicksnews4.com and otcpicksnews3.com respectively.
  • 72.54.120.137 kept trying with a bad HELO name.

A note to people: if you want to look straightforward and innocent, don't give your machines separate domain names that vary only in their trailing digits, and especially don't try to send email from them with the same SMTP MAIL FROM. Because there are really not that many innocent explanations for why you would need your outgoing email pool machines to have different domain names.

Connection time rejection stats:

  48510 total
  26705 dynamic IP
  16564 bad or no reverse DNS
   3814 class bl-cbl
    204 class bl-sbl
    180 class bl-dsbl
    161 acceleratebiz.com
    110 class bl-pbl
    109 dartmail.net
     74 cuttingedgemedia.com
     71 class bl-njabl
     43 class bl-sdul

The highest SBL sources this week are a rerun of last week: first SBL52715 with 149 rejections, then SBL50181 with 22. I'd find it striking, but mostly I find it depressing.

Seventeen of the top 30 most rejected IP addresses this week were rejected 100 times or more; the leader is 201.244.113.194 (237 rejections, for having bad reverse DNS). Eleven of the top 30 are currently in the CBL, 3 are currently in bl.spamcop.net, eight are in the PBL, and a grand total of 16 are in zen.spamhaus.org.

(Locally, 18 were rejected as 'dynamic IP', 11 were rejected for bad or missing reverse DNS, and one was a cuttingedgemedia.com machine.)

This week's Hotmail numbers are:

  • 3 messages accepted, at least two of which were almost certainly spam.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 36 messages sent to our spamtraps.
  • 1 message refused because its sender address had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one in SBL44668, a listing from August 12th 2006, and one from Burkina Faso).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 714 83 561 81
Bad bounces 37 22 2 2

Well, so much for the nice numbers on bad bounces from last week. In better news, no particularly source of bad HELOs stood out, and the most active one, 74.62.160.117, only had 52 rejections.

Bad bounces were sent to 22 different bad usernames this week, with the most popular being noreply with 10 attempts. Most of the bad usernames were at least not random, and some of them were for past local users; there were a fair number of usernames like trinawebber that were trying for plausible first name plus last name.

The most prolific source of bad bounces is an ISP in Bulgaria, followed by Earthlink. The remaining bad bounces come from all over, including a well-named machine called 'mail.victim.com' (72.1.148.50).

Written on 01 April 2007.
« Created functions and exception stack backtraces
Please leave IOError and OSError alone »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Apr 1 00:29:27 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.