Weekly spam summary on May 5th, 2007
This week, we:
- got 11,805 messages from 264 different IP addresses.
- handled 19,470 sessions from 1,321 different IP addresses.
- received 170,583 connections from at least 62,048 different IP addresses.
- hit a highwater of 11 connections being checked at once.
We had more sessions and more IPs connecting to us this week than last week but less total connections, and your guess is as good as mine as to what it really means (if anything).
This week Monday and Friday were the big days, with a run-down on Tuesday and a run-up on Thursday.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199/23 34228 1662K cox.net 188.8.131.52/27 20656 1135K otcpicknews 184.108.40.206 19454 1012K 220.127.116.11/24 18745 850K bellsouth.net 18.104.22.168/24 13503 648K adelphia.net 22.214.171.124/24 9039 542K centrum.cz 126.96.36.199 7387 443K 188.8.131.52/24 4216 231K nerim.net 184.108.40.206 4163 200K 220.127.116.11 4000 192K
Since the otcpicknews.com people are still at it, I've now awarded them their very own permanent kernel block entry. Otherwise, volume is up somewhat from last week, and this week sees the addition of nerim.net to our rolling 'too much bad stuff' /24 blocks; they kept retrying stuff that had already tripped our spamtraps from an ever-changing set of hosts in that /24, and I got tired of shooting them down one by one.
- 18.104.22.168 returns from last week, still mailhost.terra.es.
- 22.214.171.124 kept trying to send email with an origin address that had already tripped our spamtraps (probably advance fee fraud spam).
- 126.96.36.199 has bad reverse DNS information.
- 188.8.131.52 kept trying with a bad
It is pretty striking and depressing that the top ten is more than half network blocks this week, most of them blocked for excessive amounts of advance fee fraud spam.
Connection time rejection stats:
39579 total 21321 dynamic IP 12543 bad or no reverse DNS 4225 class bl-cbl 204 class bl-pbl 119 qsnews.net 108 acceleratebiz.com 105 184.108.40.206/24 104 class bl-dsbl 99 class bl-sbl 96 otcpicknews.com 95 class bl-njabl 74 class bl-sdul 24 verticalresponse.com
I note in passing how startlingly common it is for me to block the /24 a spammer hit us from and magically have that /24 light up in our stats, with connection attempts from all sorts of oddly named machines that we've never heard of before.
The highest source of SBL rejections this week is the same as last week: SBL49395 at 27 hits, a /24 listing for swishmail.com from December 23rd. Following it is SBL50181 with 23 rejections (microcamp.com.br's compromised web server, which has made the list several times before), and SBL52705 with 14 rejections (an advance fee fraud spam source listed March 23rd).
Only one of the top 30 most rejected IP addresses was rejected 100 times
or more this week: 220.127.116.11, an onolab.com dynamic IP address, was
rejected 241 times. Nine of the top 30 are currently in the CBL, one is
three are currently in
bl.spamcop.net, seven are in the PBL, and a not
so grand total of 11 of the 30 are in zen.spamhaus.org.
(Locally, 10 were rejected as dynamic IP addresses, 9 for having bad or missing reverse DNS, 7 for being from various places we don't want to talk to, two for being in the CBL, one for being in the NJABL, and one for being in the DSBL.)
This week Hotmail achieved:
- 2 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 34 messages sent to our spamtraps.
- 1 message refused because its sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (one in the CBL, one from the Cote d'Ivoire, and one from Burkina Faso).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading bad
HELO source is 18.104.22.168, with 73 tries.
Bad bounces were sent to 36 different bad usernames this week, which
is coincidentally the same number as last week; the most popular
nutvmme, with 3 attempts. Usernames like
to be the most popular variety, sprinkled with valid ex-users, some
a few things like
kenburr, and random jumbles. This week, Earthlink
is the leading source of bad bounces, with additional contributions
from all over.