Weekly spam summary on May 26th, 2007

May 26, 2007

Unfortunately, our SMTP frontend restarted sometime Friday, so I only have some statistics up until Friday morning. That said, this week we:

  • got 10,439 messages from 277 different IP addresses.
  • handled 18,746 sessions from 1,402 different IP addresses.
  • received 137,918 connections from at least 49,448 different IP addresses up until Friday at 4am.
  • hit a highwater of 9 connections being checked at once.

Mashing some data around suggests that the total connection volume over the entire week is at least 165,164 connections, which would put us somewhat up from last week. It's possible that Friday saw a major surge of connections that were not captured in various things.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          32661   1697K
205.152.59.0/24       23363   1059K bellsouth.net
213.29.7.0/24         15685    940K centrum.cz
68.230.240.0/23       14168    688K cox.net
216.75.6.165           9211    442K
68.168.78.0/24         7787    374K adelphia.net
67.126.132.83          7170    344K
209.159.39.221         3917    235K
212.175.13.129         3807    228K
193.70.192.0/24        2978    134K iol.it

Overall volume is down from last week, which I consider good. Unfortunately but predictably, I don't think the advance fee fraud spam webmail sources are doing much about their problem yet.

  • 213.4.149.12, mailhost.terra.es, returns from last week and many weeks before.
  • 216.75.6.165 and 209.159.39.221 return from last week.
  • 67.126.132.83 does not technically return from last week because it was not in the kernel packet filtering list then, but it was the top bad HELO source then and this time it made the top ten.
  • 212.175.13.129 was also listed for repeatedly trying a bad HELO, and returns from early January.

Connection time rejection stats:

  44597 total
  24119 dynamic IP
  14810 bad or no reverse DNS
   4267 class bl-cbl
    249 qsnews.net
    241 class bl-pbl
    152 dartmail.net
    137 acceleratebiz.com
     88 class bl-sbl
     82 class bl-dsbl
     80 class bl-sdul
     40 class bl-njabl
     30 216.75.6.0/24

The highest source of SBL rejections this week was SBL51583 with 22 rejections; it is a listing from February 23rd for a hijacked 'serverkompetenz.net' machine. The next highest source (at 18 rejections) is for an IP address that has now been removed from the SBL; I suspect that it was a hijacked machine that got cleaned up.

Five of the top 30 most rejected IP addresses were rejected 100 times or more this week; the champion is 41.204.70.129 (326 rejections, for bad or missing reverse DNS), followed by 216.213.172.11 (228 rejections, qsnews.net), 65.240.228.69 (191 rejections, in the CBL), 83.26.3.82 (162 rejections, a tpnet.pl ADSL customer), and 88.238.114.36 (145 rejections, for bad or missing reverse DNS).

(Checking what else is hanging out in 216.213.172.0/24, I am somehow not surprised to find signs of otcpicksnews.com.)

Eleven out of the top 30 most rejected IP addresses are currently in the CBL, two are in the SBL (213.154.88.179 is in SBL21134 and SBL43951, a /23 and a /22 listing for advance fee fraud from Senegal that date from May and July of 2006, and 213.154.94.143 is in SBL21129, another listing for Senegal advance fee fraud spam sources, this time dating from November 2004), seven are currently in bl.spamcop.net, eighteen are in the PBL, and a grand total of 21 out of the 30 are in zen.spamhaus.org. Lest I become too enthused about zen.spamhaus.org agreeing with me, only six of our top ten are in it.

(Locally, 15 were rejected as dynamic IP addresses, 13 for having bad or missing reverse DNS, one for being qsnews.net, and one for being in the CBL.)

This week, Hotmail had:

  • 4 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 36 messages sent to our spamtraps.
  • 1 message refused because its sender address had already hit our spamtraps.
  • 6 messages refused due to their origin IP address (two from the Cote d'Ivoire, one in the CBL, one in SBL33810, one from Nigeria, and one from saix.net).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 624 92 769 62
Bad bounces 190 94 52 25

There was no particular active bad HELO source this week (probably partly because I blocked some of them early).

Bad bounces were sent to 173 different bad usernames this week, with the most popular one being raebynum with five attempts. The bad usernames are all over the map this week, but the most popular sort seems to be things like JewelZavala. For amusement, there was one attempt to deliver a bounce to the username user. Bounces came from all over, with Verizon and Earthlink still up in the list but being challenged by sites in the Far East (including Japan and Taiwan), Australia, and various other places.

Written on 26 May 2007.
« If you want work done, you need to pay for it
Paying for security exploits »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat May 26 23:47:16 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.