Weekly spam summary on May 19th, 2007
This week, we:
- got 10,112 messages from 256 different IP addresses.
- handled 17,652 sessions from 1,101 different IP addresses.
- received 154,723 connections from at least 52,588 different IP addresses.
- hit a highwater of 10 connections being checked at once.
Volume is definitely down compared to last week, although the connection highwater is the same. In fact I believe this is about the lowest it's been in a while. The per day table is pretty flat:
Wednesday stands out so much that I find myself wondering if we had some sort of Internet connectivity interruption then. (Not that I noticed.)
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124 40667 2115K 126.96.36.199 27795 1667K 188.8.131.52/24 23790 1078K bellsouth.net 184.108.40.206/23 23148 1124K cox.net 220.127.116.11/24 14972 719K adelphia.net 18.104.22.168/24 12577 754K centrum.cz 22.214.171.124 8532 409K 126.96.36.199 6427 308K 188.8.131.52 5621 270K 184.108.40.206 5184 311K
The big advance fee fraud spam webmail sources did not so much drop as get displaced by other, more active places; kernel rejection volume is up significantly from last week.
- 220.127.116.11, mailhost.terra.es, returns from last week and many previous weeks.
- 18.104.22.168 is blocked for being a phish spam source.
- 22.214.171.124 returns from last week, still in a /24 apparently colonized by a spammer.
- 126.96.36.199 and 188.8.131.52 were rejected for being bigpond.net.au generic customers, and on checking I see that they are both on the CBL and one is even SBL54740.
- 184.108.40.206 is in the SORBS DUL.
Connection time rejection stats:
39266 total 19977 dynamic IP 13568 bad or no reverse DNS 4192 class bl-cbl 382 qsnews.net 172 class bl-dsbl 115 class bl-sdul 113 acceleratebiz.com 110 class bl-pbl 93 dartmail.net 69 reliablehosting.com 51 class bl-njabl 48 class bl-sbl 35 220.127.116.11/24
The highest source of SBL rejections this week is SBL30718 at 11 rejections (a Septh 4th 2005 /24 listing for too much advance fee fraud spam), followed by SBL50181 at 10 rejections (microcamp.com.br, which we've seen many times before). It's kind of depressing that even the SBL hasn't been able to get these people to take notice and fix their problems.
Only one of the top 30 most rejected IP addresses was rejected 100 times
or more this week: 18.104.22.168, part of our qsnews.net block, was
rejected 300 times. Seven out of the top 30 are currently in the CBL,
eighteen are currently in
bl.spamcop.net, fifteen are in the PBL,
and a grand total of 19 are in zen.spamhaus.org.
(Locally, 21 were rejected as dynamic IP addresses, 4 for having bad or missing reverse DNS, three for being from places we don't want to talk to any more, and one for being in the SORBS DUL and one for being in the DSBL.)
This week Hotmail had:
- no messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 53 messages sent to our spamtraps.
- 5 messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one in the CBL and one from Senegal).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This is a welcome decline from last week. The leading source of bad
HELOs was 22.214.171.124 (97 tries), followed by 126.96.36.199 and
188.8.131.52 (each with 70 tries).
Bad bounces were sent to 50 different bad usernames this week, with
the most popular being a tie between
two each. Bad usernames like
LamarByrne completely dominated the
list, with only one ex-user and a few things like
This week Verizon totally dominates as the origin, with softbank.ne.jp
and Earthlink more or distantly tied for the second spot.