Weekly spam summary on April 14th, 2007

April 14, 2007

This week, we:

  • got 13,205 messages from 267 different IP addresses.
  • handled 19,508 sessions from 1,153 different IP addresses.
  • received 163,293 connections from at least 49,706 different IP addresses.
  • hit a highwater of 11 connections being checked at once.

This is about the same volume as last week. The per day table fluctuates a fair bit, with a mid-week peak as usual:

Day Connections different IPs
Sunday 23,951 +8,124
Monday 25,146 +8,550
Tuesday 20,040 +6,666
Wednesday 29,144 +8,048
Thursday 22,600 +5,945
Friday 25,901 +7,294
Saturday 16,511 +5,079

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       41441   2013K cox.net
205.152.59.0/24       19922    903K bellsouth.net
200.170.93.20         11532    615K
64.187.99.112         11366    546K
213.29.7.0/24          9072    544K centrum.cz
68.168.78.0/24         8826    424K adelphia.net
213.4.149.12           6721    349K
209.60.190.123         5479    256K
212.51.32.152          3936    182K
66.18.132.101          3398    163K

Volume is slightly up on last week, but not enough to be significant (especially since I merged the two Bellsouth /24 blocks into one /23). It is nice to see some of the /24s for the webmail people moving out of the top of the table, even if Cox and Bellsouth still have a lock on the top places.

  • 200.170.93.20 kept trying to send email with an origin address that had already tripped our spamtraps. Judging from the specific origin address and the host name, it's a web server compromised through some PHP problem.
  • 64.187.99.112 is in AccelerateBiz network space, and we no longer talk to them. Considering that it is called 'mail.allfreebiestoyou.com', I don't think we're in any danger of missing anything important.
  • 213.4.149.12 returns from last week and many times before.
  • 209.60.190.123 and 66.18.132.101 kept trying with bad HELOs.
  • 212.51.32.152 is a mundo-r.com machine, and we no longer accept email from them due to advance fee fraud webmail spam.

Connection time rejection stats:

  40610 total
  21905 dynamic IP
  13065 bad or no reverse DNS
   4207 class bl-cbl
    237 acceleratebiz.com
    127 dartmail.net
    123 class bl-njabl
    118 class bl-dsbl
    107 class bl-pbl
    100 class bl-sbl
     73 cuttingedgemedia.com
     69 postdirect.com
     68 edatis.net/edt02.net
     39 class bl-sdul

Here is a free hint for people trying get us to accept their email: putting sequence numbers in your domain names does not make you look good.

Technically, the highest SBL source this week is SBL51080 with 19 rejections, but this is just because 72.249.13.64/26 somehow got its listing removed some time during the week. Had it remained listed, it would have had 32 rejections.

(Because I am much less forgiving that the SBL, the otcpicksnewsN.com complex has now earned a place in our permanent blocks.)

Three of the top 30 most rejected IP addresses were rejected 100 times or more this week: 62.42.62.33 (714 times), 74.64.66.122 (290 times), and 24.105.197.53 (120 times). All of them are dynamic IP addresses. Ten of the top 30 are currently in the CBL, eight are currently in bl.spamcop.net, eleven are in the PBL, and a grand total of 14 are in zen.spamhaus.org.

(Locally, 14 were rejected as 'dynamic IP', eight were rejected for bad or missing reverse DNS, three were rejected for being on various DNS blocklists, three were rejected for being in AccelerateBiz network space, and there was one from Cutting Edge Media and one from edatis.net. It was a varied week for the top 30.)

This week Hotmail managed:

  • 1 message accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 30 messages sent to our spamtraps.
  • 1 message refused because its sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (two in the CBL, two from the Cote d'Ivoire, and one in SBL44668, which dates from August 12th 2006).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 940 72 801 143
Bad bounces 57 29 27 20

The most active sources of bad HELOs were 216.103.66.186 (73 rejections) and 217.206.140.214 (70 rejections). The only spot of brightness is that at least fewer machines seem to be hitting us with bad HELOs.

Bad bounces were sent to 39 different bad usernames this week. The leading targets were two ex-users, but the dominant sort of target was usernames like ShawnOtto. A few went to usernames like marcievaughn, a few to other local past usernames, and there was one to a random jumble username. As with last week, Earthlink was the dominant source of bad bounces.

Written on 14 April 2007.
« A little gotcha about binding services to interfaces
chkconfig --add considered misleading »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Apr 14 23:55:44 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.