Weekly spam summary on April 28th, 2007
This week, we:
- got 11,321 messages from 292 different IP addresses.
- handled 18,443 sessions from 1,247 different IP addresses.
- received 176,017 connections from at least 61,753 different IP addresses.
- hit a highwater of 7 connections being checked at once.
This is slightly up from last week, especially the number of different IP addresses hitting us. The drop in email messages may be because we're towards the end of university exams, when things tend to get a bit quiet.
The spammers seem to have jumped on us in the middle of the week, and then started to fall off later on. Probably this is not going to be a long-term trend.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52/23 39449 1916K cox.net 184.108.40.206/24 19607 941K adelphia.net 220.127.116.11/24 15449 927K centrum.cz 18.104.22.168 13035 678K 22.214.171.124/24 12831 582K bellsouth.net 126.96.36.199/27 9250 508K 188.8.131.52 5319 284K 184.108.40.206 2877 158K 220.127.116.11/24 2619 157K 18.104.22.168 2619 126K
Volume is slightly down from last week, and has shuffled around quite a bit.
- 22.214.171.124 is terra.es, and returns from last week and many times before.
- 126.96.36.199/27 is a tendril of otcpicknews.com and returns from last week.
- 188.8.131.52 is a telecomitalia.it generic host, and returns from late Feburary and a number of times before then.
- 184.108.40.206 kept trying to send us stuff with an origin address that had tripped our spam traps. It's been doing this for some time, but this is the first week it's made our top ten.
- 220.127.116.11/24 is celeonet.fr; it also kept trying to send us stuff that had already tripped our spamtraps, but it was sending from so many IP addresses that I just blocked the entire /24.
- 18.104.22.168 kept trying with a bad
Connection time rejection stats:
41556 total 22293 dynamic IP 13326 bad or no reverse DNS 4565 class bl-cbl 234 qsnews.net 222 class bl-njabl 105 acceleratebiz.com 110 class bl-dsbl 95 class bl-pbl 71 class bl-sdul 70 class bl-sbl
The highest source of SBL rejections this week is SBL49395 at 25 rejections, which is labeled as 'swishmail.com' and appears to be a dirty /24 used by a spammer and was listed 23 December 2006. Following it is SBL45324 with 17 rejections, a /24 ROKSO listing for Brian Kramer aka Expedite Media Group, listed 26 December 2006.
Three of the top 30 most rejected IP addresses were rejected 100 times
or more this week; 22.214.171.124 (156 times, qsnews.net), 126.96.36.199
(123 times, missing reverse DNS), and 188.8.131.52 (106 times, tele.dk
ADSL). Ten of the top 30 are currently in the CBL, none are currently
bl.spamcop.net (somewhat to my surprise), eight are in the PBL,
and a grand total of 14 are in zen.spamhaus.org.
(Locally, 13 were rejected for bad or missing reverse DNS, 9 as dynamic IPs, 3 as being from various places we don't want to talk to, 3 for being in the NJABL, and one each for being in the DSBL and the CBL.)
This week, Hotmail did:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 24 messages sent to our spamtraps.
- 16 messages refused because their sender addresses had already hit our spamtraps.
- 4 messages refused due to their origin IP address (two in the CBL, one in SBL48677, an advance fee fraud spam source listing from December 1st 2006, and one from the Cote d'Ivoire).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Bad bounces have almost doubled from last week, and the number of
sources has more than doubled. On the slightly bright side, at least the
HELO count has dropped slightly. The leading bad
HELO source is
184.108.40.206 (72 tries), followed by 220.127.116.11 (67 tries).
Bad bounces were sent to 36 different bad usernames this week. The
leading target, with 84 attempts, was an old user. After that we
saw attempts to old users, the ever-popular
noreply, some random
xgosk02, and a variety of names like
This week the bounces seem to have come from all over; the leading
source is chello.at, followed by a Polish ISP and Earthlink. Various
places in Eastern Europe seem to be popular bounce sources in general.