Weekly spam summary on June 16th, 2007
This week, we:
- got 10,437 messages from 238 different IP addresses.
- handled 19,475 sessions from 1,336 different IP addresses.
- received 213,499 connections from at least 71,964 different IP addresses.
- hit a highwater of 8 connections being checked at once.
This is down from last week on the absolute numbers, but may be up somewhat if we exclude the effects of the one prolific connector from last week's numbers. On the other hand, the per day numbers are floating all over the map:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52/23 30243 1469K cox.net 184.108.40.206/24 23438 1063K bellsouth.net 220.127.116.11 20606 1075K 18.104.22.168/24 13129 630K adelphia.net 22.214.171.124 8783 411K 126.96.36.199 8629 518K 188.8.131.52 8429 438K 184.108.40.206 8220 384K 220.127.116.11 4791 224K 18.104.22.168 4128 193K
This is down from last week, and also only a few bad webmail sources have made the top ten this time around; for once, most of them are individual IPs.
- 22.214.171.124 and 126.96.36.199 return from last week and many previous engagements.
- 188.8.131.52 is in NJABL.
- 184.108.40.206 was in the SBL, but the listing has been removed since it started banging on the door.
- 220.127.116.11 is something we consider a dynamic IP, and returns from two weeks ago.
- 18.104.22.168 kept trying to send us phish spam that had already tripped our spamtraps.
- 22.214.171.124 kept trying with a bad
Connection time rejection stats:
58982 total 29047 dynamic IP 23305 bad or no reverse DNS 4801 class bl-cbl 316 qsnews.net 314 class bl-dsbl 271 class bl-njabl 180 class bl-pbl 176 class bl-sbl 62 126.96.36.199/24 37 acceleratebiz.com 33 class bl-sdul
The funny /24 is 'IBS Hosting Corp' aka web1host.net of Tampa Florida, and we have seen them before. The highest source of SBL rejections this week was 188.8.131.52 with 87 rejections, but its SBL listing has been removed, so the highest source still in the SBL is SBL55450 (24 rejections, a spam source), followed by SBL54907 (23 rejections, a virus spam source).
(Some trawling in news.admin.net-abuse.sightings suggests that we do not want to talk to 184.108.40.206 aka ebizlatin.com even if the SBL no longer lists them, so I have added them to our local blocklist.)
Four of the top 30 most rejected IP addresses were rejected 100 times
or more this week, with the leader being 220.127.116.11 (237 rejections
for being a qsnews.net machine). Nine of the top 30 are currently in the
CBL, seven are currently in
bl.spamcop.net, seven are in the PBL, and
a grand total of fourteen of the 30 are in zen.spamhaus.org.
(Locally, 14 were rejected for missing or bad reverse DNS, 9 for being dynamic IPs, 3 for being people we don't want to talk to, 2 for being in the DSBL, one for being in the SBL, and one for being in the NJABL.)
This week, Hotmail had:
- 2 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 48 messages sent to our spamtraps.
- 6 messages refused because their sender addresses had already hit our spamtraps.
- 9 messages refused due to their origin IP address (three for being in the CBL, two for being in SBL52368 two for being from Burkina Faso, one for being from SAIX, and one for being in SBL32972, a listing from November 2005).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leader sources of bad
HELOs this week are 18.104.22.168 (154
rejections), 22.214.171.124 (104 rejections), and 126.96.36.199 (77
rejections). Only one of them used a clearly bogus
HELO name; the
others just picked unresolvable ones.
Bad bounces were sent to 178 different bad usernames this week; the most
popular position is a seven-way tie between
DariusEsparza, each of which had two attempts. This also neatly shows
which sort of bad usernames were the most popular overall, although we
saw a few odd ones like
har-miy. No particular source of bad bounces
stands out; contributions came from what are by now all of the usual