Weekly spam summary on April 28th, 2007
This week, we:
- got 11,321 messages from 292 different IP addresses.
- handled 18,443 sessions from 1,247 different IP addresses.
- received 176,017 connections from at least 61,753 different IP addresses.
- hit a highwater of 7 connections being checked at once.
This is slightly up from last week, especially the number of different IP addresses hitting us. The drop in email messages may be because we're towards the end of university exams, when things tend to get a bit quiet.
The spammers seem to have jumped on us in the middle of the week, and then started to fall off later on. Probably this is not going to be a long-term trend.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199/23 39449 1916K cox.net 188.8.131.52/24 19607 941K adelphia.net 184.108.40.206/24 15449 927K centrum.cz 220.127.116.11 13035 678K 18.104.22.168/24 12831 582K bellsouth.net 22.214.171.124/27 9250 508K 126.96.36.199 5319 284K 188.8.131.52 2877 158K 184.108.40.206/24 2619 157K 220.127.116.11 2619 126K
Volume is slightly down from last week, and has shuffled around quite a bit.
- 18.104.22.168 is terra.es, and returns from last week and many times before.
- 22.214.171.124/27 is a tendril of otcpicknews.com and returns from last week.
- 126.96.36.199 is a telecomitalia.it generic host, and returns from late Feburary and a number of times before then.
- 188.8.131.52 kept trying to send us stuff with an origin address that had tripped our spam traps. It's been doing this for some time, but this is the first week it's made our top ten.
- 184.108.40.206/24 is celeonet.fr; it also kept trying to send us stuff that had already tripped our spamtraps, but it was sending from so many IP addresses that I just blocked the entire /24.
- 220.127.116.11 kept trying with a bad
Connection time rejection stats:
41556 total 22293 dynamic IP 13326 bad or no reverse DNS 4565 class bl-cbl 234 qsnews.net 222 class bl-njabl 105 acceleratebiz.com 110 class bl-dsbl 95 class bl-pbl 71 class bl-sdul 70 class bl-sbl
The highest source of SBL rejections this week is SBL49395 at 25 rejections, which is labeled as 'swishmail.com' and appears to be a dirty /24 used by a spammer and was listed 23 December 2006. Following it is SBL45324 with 17 rejections, a /24 ROKSO listing for Brian Kramer aka Expedite Media Group, listed 26 December 2006.
Three of the top 30 most rejected IP addresses were rejected 100 times
or more this week; 18.104.22.168 (156 times, qsnews.net), 22.214.171.124
(123 times, missing reverse DNS), and 126.96.36.199 (106 times, tele.dk
ADSL). Ten of the top 30 are currently in the CBL, none are currently
bl.spamcop.net (somewhat to my surprise), eight are in the PBL,
and a grand total of 14 are in zen.spamhaus.org.
(Locally, 13 were rejected for bad or missing reverse DNS, 9 as dynamic IPs, 3 as being from various places we don't want to talk to, 3 for being in the NJABL, and one each for being in the DSBL and the CBL.)
This week, Hotmail did:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 24 messages sent to our spamtraps.
- 16 messages refused because their sender addresses had already hit our spamtraps.
- 4 messages refused due to their origin IP address (two in the CBL, one in SBL48677, an advance fee fraud spam source listing from December 1st 2006, and one from the Cote d'Ivoire).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Bad bounces have almost doubled from last week, and the number of
sources has more than doubled. On the slightly bright side, at least the
HELO count has dropped slightly. The leading bad
HELO source is
188.8.131.52 (72 tries), followed by 184.108.40.206 (67 tries).
Bad bounces were sent to 36 different bad usernames this week. The
leading target, with 84 attempts, was an old user. After that we
saw attempts to old users, the ever-popular
noreply, some random
xgosk02, and a variety of names like
This week the bounces seem to have come from all over; the leading
source is chello.at, followed by a Polish ISP and Earthlink. Various
places in Eastern Europe seem to be popular bounce sources in general.