Weekly spam summary on March 31st, 2007
This week, we:
- got 12,348 messages from 259 different IP addresses.
- handled 17,799 sessions from 1,226 different IP addresses.
- received 171,239 connections from at least 53,794 different IP addresses.
- hit a highwater of 28 connections being checked at once.
Somewhat to my surprise, volume is down again from last week, although the concurrent connections highwater is up a lot.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52/24 21236 1031K cox.net 184.108.40.206/24 17748 1065K centrum.cz 220.127.116.11/24 15832 718K bellsouth.net 18.104.22.168/24 13549 658K cox.net 22.214.171.124 13506 702K 126.96.36.199/24 9359 449K adelphia.net 188.8.131.52 8992 494K 184.108.40.206 5195 286K 220.127.116.11 4553 219K 18.104.22.168 4264 235K
By contrast, our kernel packet filtering blocks are up significantly from last week, partly because I was aggressive about throwing blocked advance fee fraud webmail sources into the kernel filters early on. As a result of this, blocked webmail sources account for half the top ten, and all four of the top spots. (To save space, I've just annotated the main listing with who each /24 belongs to.)
- 22.214.171.124 and 126.96.36.199 return from last week.
- 188.8.131.52 and 184.108.40.206 kept trying to send us email from
the user name
do_not_replyat a domain with temporary DNS failures. For that extra encouragement to accept their email, the machines
HELO'd as otcpicksnews4.com and otcpicksnews3.com respectively.
- 220.127.116.11 kept trying with a bad
A note to people: if you want to look straightforward and innocent, don't give your machines separate domain names that vary only in their trailing digits, and especially don't try to send email from them with the same SMTP MAIL FROM. Because there are really not that many innocent explanations for why you would need your outgoing email pool machines to have different domain names.
Connection time rejection stats:
48510 total 26705 dynamic IP 16564 bad or no reverse DNS 3814 class bl-cbl 204 class bl-sbl 180 class bl-dsbl 161 acceleratebiz.com 110 class bl-pbl 109 dartmail.net 74 cuttingedgemedia.com 71 class bl-njabl 43 class bl-sdul
Seventeen of the top 30 most rejected IP addresses this week were
rejected 100 times or more; the leader is 18.104.22.168 (237
rejections, for having bad reverse DNS). Eleven of the top 30 are
currently in the CBL, 3 are currently in
bl.spamcop.net, eight are in
the PBL, and a grand total of 16 are in zen.spamhaus.org.
(Locally, 18 were rejected as 'dynamic IP', 11 were rejected for bad or missing reverse DNS, and one was a cuttingedgemedia.com machine.)
This week's Hotmail numbers are:
- 3 messages accepted, at least two of which were almost certainly spam.
- no messages rejected because they came from non-Hotmail email addresses.
- 36 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one in SBL44668, a listing from August 12th 2006, and one from Burkina Faso).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Well, so much for the nice numbers on bad bounces from last week.
In better news, no particularly source of bad
HELOs stood out, and
the most active one, 22.214.171.124, only had 52 rejections.
Bad bounces were sent to 22 different bad usernames this week, with the
most popular being
noreply with 10 attempts. Most of the bad usernames
were at least not random, and some of them were for past local users;
there were a fair number of usernames like
trinawebber that were
trying for plausible first name plus last name.
The most prolific source of bad bounces is an ISP in Bulgaria, followed by Earthlink. The remaining bad bounces come from all over, including a well-named machine called 'mail.victim.com' (126.96.36.199).