Weekly spam summary on June 2nd, 2007
This week, we:
- got 10,553 messages from 239 different IP addresses.
- handled 19,451 sessions from 1,629 different IP addresses.
- received 430,428 connections from at least 69,677 different IP addresses.
- hit a highwater of 9 connections being checked at once.
The connection volume is way up compared to last week; however, I believe that it is mostly because of one machine, 188.8.131.52, that reacted exceptionally badly to our greylisting (to the point of retrying multiple times a second). Once I worked out what was going on and blocked it, things quieted right down. You can clearly see the effects in the daily stats:
The machine showed up at about 3pm Tuesday and got blocked Wednesday morning; ironically it seems to react much better to kernel level blocks and has barely sent us anything since then.
The volume may be up even apart from that, since it looks like daily volume would have been over 30,000 every weekday even without that. But it's hard to be sure.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 184.108.40.206 34323 1784K 220.127.116.11/24 21531 976K bellsouth.net 18.104.22.168/24 16420 788K adelphia.net 22.214.171.124/23 13444 653K cox.net 126.96.36.199/24 10937 655K centrum.cz 188.8.131.52 5560 267K 184.108.40.206 4665 224K 220.127.116.11 4488 210K 18.104.22.168 3506 210K 22.214.171.124 3495 163K
The overall volume is down slightly compared to last week; however, the advance fee fraud spam webmail places are back to dominating the top of the list.
- 126.96.36.199 and 188.8.131.52 return from last week.
- 184.108.40.206 kept trying to send mail with an origin address that had already tripped our spamtraps.
- 220.127.116.11 and 18.104.22.168 kept trying with bad
- 22.214.171.124 is something we consider a dynamic or generic IP address.
Connection time rejection stats:
58817 total 29106 dynamic IP 23124 bad or no reverse DNS 5175 class bl-cbl 343 class bl-pbl 156 qsnews.net 97 acceleratebiz.com 88 dartmail.net 79 class bl-dsbl 71 class bl-sdul 65 class bl-sbl 27 icpbounce.com 18 class bl-njabl
The highest source of SBL rejections this week was SBL30718 with 14 rejections; to my complete lack of surprise, it is an advance fee fraud spam /24 listing from September 4th 2005. Next up is last week's leading source, SBL51583 with 10 rejections.
Only one of the top 30 most rejected IP addresses was rejected 100 times
or more this week: 126.96.36.199, blocked for bad or missing reverse
DNS, was rejected 142 times. Sixteen of the top 30 are currently in the
CBL, seven are currently in
bl.spamcop.net, fourteen are in the PBL,
and a grand total of 21 are in zen.spamhaus.org.
(Locally, 16 were rejected for bad or missing reverse DNS, 12 for being dynamic IPs, and 2 because we don't want to talk to them.)
This week, Hotmail had:
- 5 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 42 messages sent to our spamtraps.
- 1 message refused because its sender addresses had already hit our spamtraps.
- 7 messages refused due to their origin IP address (3 in the CBL, and four in the SBL in SBL34924 (listed November 2005), SBL49340, SBL51849, and SBL54927).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading sources of bad
HELOs this week were 188.8.131.52 (95
tries), 184.108.40.206 (76 tries), 220.127.116.11 (72 tries), and 18.104.22.168
(71 tries). Two of these tried
HELO names that were just impossible;
the other two just tried names that were unresolvable.
Bad bounces were sent to 257 different bad usernames this week, with
the most popular by far being
AmaliaDowdy (61 attempts). This username
pattern was also the dominant form of bad username, with a few attempts
to throw in old users, hyphen-separated names like
and some random sequences. To my surprise, w3.org appears high in the
sources list this week, and all the usual suspects from last week
are still putting in appearances.
(Of course, these days some of this may be misguided address
verification systems. Every now and then I think about clever ways to
cause them pain, like deferring refusals until after