Weekly spam summary on May 12th, 2007
This week, we:
- got 11,570 messages from 275 different IP addresses.
- handled 20,679 sessions from 1,692 different IP addresses.
- received 186,687 connections from at least 62,023 different IP addresses.
- hit a highwater of 10 connections being checked at once.
Well, so much for the trend of decreasing volume; all of these are up noticeably from last week. The per day table suggests that this may have been mostly in the start of the week:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206/23 34227 1662K cox.net 220.127.116.11 26247 1365K 18.104.22.168/24 20422 926K bellsouth.net 22.214.171.124/24 14991 720K adelphia.net 126.96.36.199/24 11017 661K centrum.cz 188.8.131.52 6111 293K 184.108.40.206 5545 255K 220.127.116.11 4728 221K 18.104.22.168 3964 217K 22.214.171.124/24 3941 216K nerim.net
The total volume is about the same as last week, but it has definitely shifted around significantly; I am pleased that some of the advance fee fraud webmail sources seem to be dropping down the table.
- 126.96.36.199, mailhost.terra.es, reappears from last week and many previous appearances.
- 188.8.131.52 is someone we've never heard from before who was blocked for being in the same /24 as a spammer. As I commented last week, it's amazing how often this smokes out more interesting people; you would think that spammers buy a bunch of hosting from an ISP all at once, or something.
- 184.108.40.206 and 220.127.116.11 are both IP addresses that we classify as dynamic IPs.
- 18.104.22.168 reappears from late April, and was blocked for the same reason now as then: it kept trying to send stuff that had already tripped our spamtraps.
Connection time rejection stats:
45538 total 25346 dynamic IP 14123 bad or no reverse DNS 4404 class bl-cbl 319 qsnews.net 145 class bl-dsbl 122 class bl-pbl 110 acceleratebiz.com 104 dartmail.net 103 22.214.171.124/24 96 Yesmail 70 reliablehosting.com 93 class bl-njabl 77 class bl-sbl 64 class bl-sdul
It is either depressing or encouraging how little gets blocked by all the DNS blocklists except the CBL; with some small exceptions, spamming us from dedicated network space is basically dead.
The highest source of SBL rejections this week is SBL53722 at 18 rejections (an April 19th listing for cavtel.net, an active advance fee fraud spam source), followed by SBL53319 at 17 rejections (a May 1st listing for 'inhoster.com', apparently a major source of spam and spam/cybercrime website hosting) and SBL50181 at 15 (microcamp.com.br appearing yet again, as it did last week).
Five of the top 30 most rejected IP addresses were rejected 100 times
or more this week, with the leader being 126.96.36.199 (an onolab.com
dynamic IP address), which was rejected 923 times. Eight of the top 30
are currently in the CBL, seven are currently in
are currently in the PBL, and a grand total of only thirteen of the
thirty are currently in zen.spamhaus.org.
(Locally, 17 were rejected as dynamic IP addresses, 6 for having bad or missing reverse DNS, 5 for being from various places we don't want to talk to, and two for being in the DSBL.)
This week Hotmail had:
- 2 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 38 messages sent to our spamtraps.
- 11 messages refused because their sender addresses had already hit our spamtraps.
- 7 messages refused due to their origin IP address (two from Senegal, two from the Cote d'Ivoire, one in the CBL, one from Nigeria, and one from saix.net).
(As it turns out, two of the country rejections are now also on the CBL, although they were not at the time we rejected the email from Hotmail.)
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Well, talk about an explosion in both sets of numbers. The leading
source of bad
HELOs this week is 188.8.131.52 (85 tries), followed
by 184.108.40.206 (72 tries), 220.127.116.11 (also 72 tries), and
18.104.22.168 (71 tries).
Bad bounces were sent to 52 different bad usernames this week; the most
ifn at 50 attempts, followed by
rrs (40), and quite a number of others with more than one hit. Random
letter jumbles (mostly three characters long) pretty much took over the
list of target usernames, and the sources cme from all over, although
Earthlink continues to be a popular source.