Weekly spam summary on June 2nd, 2007

June 2, 2007

This week, we:

  • got 10,553 messages from 239 different IP addresses.
  • handled 19,451 sessions from 1,629 different IP addresses.
  • received 430,428 connections from at least 69,677 different IP addresses.
  • hit a highwater of 9 connections being checked at once.

The connection volume is way up compared to last week; however, I believe that it is mostly because of one machine,, that reacted exceptionally badly to our greylisting (to the point of retrying multiple times a second). Once I worked out what was going on and blocked it, things quieted right down. You can clearly see the effects in the daily stats:

Day Connections different IPs
Sunday 17,636 +9,702
Monday 33,471 +12,667
Tuesday 184,927 +9,388
Wednesday 99,137 +9,231
Thursday 33,946 +9,883
Friday 36,539 +10,456
Saturday 24,772 +8,350

The machine showed up at about 3pm Tuesday and got blocked Wednesday morning; ironically it seems to react much better to kernel level blocks and has barely sent us anything since then.

The volume may be up even apart from that, since it looks like daily volume would have been over 30,000 every weekday even without that. But it's hard to be sure.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes          34323   1784K       21531    976K bellsouth.net        16420    788K adelphia.net       13444    653K cox.net         10937    655K centrum.cz          5560    267K            4665    224K           4488    210K         3506    210K         3495    163K

The overall volume is down slightly compared to last week; however, the advance fee fraud spam webmail places are back to dominating the top of the list.

  • and return from last week.
  • kept trying to send mail with an origin address that had already tripped our spamtraps.
  • and kept trying with bad HELOs.
  • is something we consider a dynamic or generic IP address.

Connection time rejection stats:

  58817 total
  29106 dynamic IP
  23124 bad or no reverse DNS
   5175 class bl-cbl
    343 class bl-pbl
    156 qsnews.net
     97 acceleratebiz.com
     88 dartmail.net
     79 class bl-dsbl
     71 class bl-sdul
     65 class bl-sbl
     27 icpbounce.com
     18 class bl-njabl

The highest source of SBL rejections this week was SBL30718 with 14 rejections; to my complete lack of surprise, it is an advance fee fraud spam /24 listing from September 4th 2005. Next up is last week's leading source, SBL51583 with 10 rejections.

Only one of the top 30 most rejected IP addresses was rejected 100 times or more this week:, blocked for bad or missing reverse DNS, was rejected 142 times. Sixteen of the top 30 are currently in the CBL, seven are currently in bl.spamcop.net, fourteen are in the PBL, and a grand total of 21 are in zen.spamhaus.org.

(Locally, 16 were rejected for bad or missing reverse DNS, 12 for being dynamic IPs, and 2 because we don't want to talk to them.)

This week, Hotmail had:

  • 5 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 42 messages sent to our spamtraps.
  • 1 message refused because its sender addresses had already hit our spamtraps.
  • 7 messages refused due to their origin IP address (3 in the CBL, and four in the SBL in SBL34924 (listed November 2005), SBL49340, SBL51849, and SBL54927).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1369 142 624 92
Bad bounces 349 187 190 94

The leading sources of bad HELOs this week were (95 tries), (76 tries), (72 tries), and (71 tries). Two of these tried HELO names that were just impossible; the other two just tried names that were unresolvable.

Bad bounces were sent to 257 different bad usernames this week, with the most popular by far being AmaliaDowdy (61 attempts). This username pattern was also the dominant form of bad username, with a few attempts to throw in old users, hyphen-separated names like lucky-monkey, and some random sequences. To my surprise, w3.org appears high in the sources list this week, and all the usual suspects from last week are still putting in appearances.

(Of course, these days some of this may be misguided address verification systems. Every now and then I think about clever ways to cause them pain, like deferring refusals until after DATA.)

Written on 02 June 2007.
« Why our Solaris fileservers still use the automounter
Why we need our SAN RAID controllers to support logical drives »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Jun 2 23:57:17 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.