Weekly spam summary on May 5th, 2007

May 5, 2007

This week, we:

  • got 11,805 messages from 264 different IP addresses.
  • handled 19,470 sessions from 1,321 different IP addresses.
  • received 170,583 connections from at least 62,048 different IP addresses.
  • hit a highwater of 11 connections being checked at once.

We had more sessions and more IPs connecting to us this week than last week but less total connections, and your guess is as good as mine as to what it really means (if anything).

Day Connections different IPs
Sunday 21,310 +8,843
Monday 32,292 +13,696
Tuesday 23,799 +8,856
Wednesday 22,444 +6,896
Thursday 25,018 +8,174
Friday 28,093 +9,787
Saturday 17,627 +5,796

This week Monday and Friday were the big days, with a run-down on Tuesday and a run-up on Thursday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       34228   1662K cox.net
206.123.109.0/27      20656   1135K otcpicknews
213.4.149.12          19454   1012K
205.152.59.0/24       18745    850K bellsouth.net
68.168.78.0/24        13503    648K adelphia.net
213.29.7.0/24          9039    542K centrum.cz
202.154.224.43         7387    443K
195.5.254.0/24         4216    231K nerim.net
200.68.116.133         4163    200K
67.53.104.2            4000    192K

Since the otcpicknews.com people are still at it, I've now awarded them their very own permanent kernel block entry. Otherwise, volume is up somewhat from last week, and this week sees the addition of nerim.net to our rolling 'too much bad stuff' /24 blocks; they kept retrying stuff that had already tripped our spamtraps from an ever-changing set of hosts in that /24, and I got tired of shooting them down one by one.

  • 213.4.149.12 returns from last week, still mailhost.terra.es.
  • 202.154.224.43 kept trying to send email with an origin address that had already tripped our spamtraps (probably advance fee fraud spam).
  • 200.68.116.133 has bad reverse DNS information.
  • 67.53.104.2 kept trying with a bad HELO.

It is pretty striking and depressing that the top ten is more than half network blocks this week, most of them blocked for excessive amounts of advance fee fraud spam.

Connection time rejection stats:

  39579 total
  21321 dynamic IP
  12543 bad or no reverse DNS
   4225 class bl-cbl
    204 class bl-pbl
    119 qsnews.net
    108 acceleratebiz.com
    105 216.75.6.0/24
    104 class bl-dsbl
     99 class bl-sbl
     96 otcpicknews.com
     95 class bl-njabl
     74 class bl-sdul
     24 verticalresponse.com

I note in passing how startlingly common it is for me to block the /24 a spammer hit us from and magically have that /24 light up in our stats, with connection attempts from all sorts of oddly named machines that we've never heard of before.

The highest source of SBL rejections this week is the same as last week: SBL49395 at 27 hits, a /24 listing for swishmail.com from December 23rd. Following it is SBL50181 with 23 rejections (microcamp.com.br's compromised web server, which has made the list several times before), and SBL52705 with 14 rejections (an advance fee fraud spam source listed March 23rd).

Only one of the top 30 most rejected IP addresses was rejected 100 times or more this week: 62.42.51.127, an onolab.com dynamic IP address, was rejected 241 times. Nine of the top 30 are currently in the CBL, one is in SBL34922, three are currently in bl.spamcop.net, seven are in the PBL, and a not so grand total of 11 of the 30 are in zen.spamhaus.org.

(Locally, 10 were rejected as dynamic IP addresses, 9 for having bad or missing reverse DNS, 7 for being from various places we don't want to talk to, two for being in the CBL, one for being in the NJABL, and one for being in the DSBL.)

This week Hotmail achieved:

  • 2 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 34 messages sent to our spamtraps.
  • 1 message refused because its sender addresses had already hit our spamtraps.
  • 3 messages refused due to their origin IP address (one in the CBL, one from the Cote d'Ivoire, and one from Burkina Faso).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 674 55 699 69
Bad bounces 42 23 125 57

The leading bad HELO source is 67.52.252.210, with 73 tries.

Bad bounces were sent to 36 different bad usernames this week, which is coincidentally the same number as last week; the most popular was nutvmme, with 3 attempts. Usernames like ClydeCall continue to be the most popular variety, sprinkled with valid ex-users, some a few things like kenburr, and random jumbles. This week, Earthlink is the leading source of bad bounces, with additional contributions from all over.

Written on 05 May 2007.
« A little twitch I have in X Windows
What Linux bind mounts are really doing »

Page tools: View Source.
Search:
Login: Password:

Last modified: Sat May 5 23:41:12 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.