Weekly spam summary on May 12th, 2007

May 12, 2007

This week, we:

  • got 11,570 messages from 275 different IP addresses.
  • handled 20,679 sessions from 1,692 different IP addresses.
  • received 186,687 connections from at least 62,023 different IP addresses.
  • hit a highwater of 10 connections being checked at once.

Well, so much for the trend of decreasing volume; all of these are up noticeably from last week. The per day table suggests that this may have been mostly in the start of the week:

Day Connections different IPs
Sunday 26,438 +10,319
Monday 37,739 +10,616
Tuesday 31,307 +9,414
Wednesday 23,956 +8,468
Thursday 23,379 +7,934
Friday 25,344 +7,974
Saturday 18,524 +7,298

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       34227   1662K cox.net
213.4.149.12          26247   1365K
205.152.59.0/24       20422    926K bellsouth.net
68.168.78.0/24        14991    720K adelphia.net
213.29.7.0/24         11017    661K centrum.cz
216.75.6.165           6111    293K
67.103.186.2           5545    255K
76.204.233.194         4728    221K
65.175.90.190          3964    217K
195.5.254.0/24         3941    216K nerim.net

The total volume is about the same as last week, but it has definitely shifted around significantly; I am pleased that some of the advance fee fraud webmail sources seem to be dropping down the table.

  • 213.4.149.12, mailhost.terra.es, reappears from last week and many previous appearances.
  • 216.75.6.165 is someone we've never heard from before who was blocked for being in the same /24 as a spammer. As I commented last week, it's amazing how often this smokes out more interesting people; you would think that spammers buy a bunch of hosting from an ISP all at once, or something.
  • 67.103.186.2 and 76.204.233.194 are both IP addresses that we classify as dynamic IPs.
  • 65.175.90.190 reappears from late April, and was blocked for the same reason now as then: it kept trying to send stuff that had already tripped our spamtraps.

Connection time rejection stats:

  45538 total
  25346 dynamic IP
  14123 bad or no reverse DNS
   4404 class bl-cbl
    319 qsnews.net
    145 class bl-dsbl
    122 class bl-pbl
    110 acceleratebiz.com
    104 dartmail.net
    103 216.75.6.0/24
     96 Yesmail
     70 reliablehosting.com
     93 class bl-njabl
     77 class bl-sbl
     64 class bl-sdul

It is either depressing or encouraging how little gets blocked by all the DNS blocklists except the CBL; with some small exceptions, spamming us from dedicated network space is basically dead.

The highest source of SBL rejections this week is SBL53722 at 18 rejections (an April 19th listing for cavtel.net, an active advance fee fraud spam source), followed by SBL53319 at 17 rejections (a May 1st listing for 'inhoster.com', apparently a major source of spam and spam/cybercrime website hosting) and SBL50181 at 15 (microcamp.com.br appearing yet again, as it did last week).

Five of the top 30 most rejected IP addresses were rejected 100 times or more this week, with the leader being 62.42.62.93 (an onolab.com dynamic IP address), which was rejected 923 times. Eight of the top 30 are currently in the CBL, seven are currently in bl.spamcop.net, ten are currently in the PBL, and a grand total of only thirteen of the thirty are currently in zen.spamhaus.org.

(Locally, 17 were rejected as dynamic IP addresses, 6 for having bad or missing reverse DNS, 5 for being from various places we don't want to talk to, and two for being in the DSBL.)

This week Hotmail had:

  • 2 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 38 messages sent to our spamtraps.
  • 11 messages refused because their sender addresses had already hit our spamtraps.
  • 7 messages refused due to their origin IP address (two from Senegal, two from the Cote d'Ivoire, one in the CBL, one from Nigeria, and one from saix.net).

(As it turns out, two of the country rejections are now also on the CBL, although they were not at the time we rejected the email from Hotmail.)

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1833 172 674 55
Bad bounces 452 423 42 23

Well, talk about an explosion in both sets of numbers. The leading source of bad HELOs this week is 66.18.49.218 (85 tries), followed by 87.86.107.83 (72 tries), 64.45.239.234 (also 72 tries), and 67.136.247.97 (71 tries).

Bad bounces were sent to 52 different bad usernames this week; the most popular was ifn at 50 attempts, followed by akz (47), oihfn (43), rrs (40), and quite a number of others with more than one hit. Random letter jumbles (mostly three characters long) pretty much took over the list of target usernames, and the sources cme from all over, although Earthlink continues to be a popular source.

Written on 12 May 2007.
« Building your own kernel with the Fedora kernel configuration
Unix folklore: your swap should be twice your RAM »

Page tools: View Source.
Search:
Login: Password:

Last modified: Sat May 12 23:27:18 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.