Weekly spam summary on June 16th, 2007

June 16, 2007

This week, we:

  • got 10,437 messages from 238 different IP addresses.
  • handled 19,475 sessions from 1,336 different IP addresses.
  • received 213,499 connections from at least 71,964 different IP addresses.
  • hit a highwater of 8 connections being checked at once.

This is down from last week on the absolute numbers, but may be up somewhat if we exclude the effects of the one prolific connector from last week's numbers. On the other hand, the per day numbers are floating all over the map:

Day Connections different IPs
Sunday 29,880 +12,325
Monday 32,009 +11,720
Tuesday 26,008 +8,842
Wednesday 28,879 +8,772
Thursday 40,321 +11,547
Friday 31,229 +10,212
Saturday 25,173 +8,546

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       30243   1469K cox.net
205.152.59.0/24       23438   1063K bellsouth.net
213.4.149.12          20606   1075K
68.168.78.0/24        13129    630K adelphia.net
70.22.152.139          8783    411K
216.244.151.246        8629    518K
213.4.149.11           8429    438K
72.244.103.211         8220    384K
71.140.111.241         4791    224K
74.15.184.141          4128    193K

This is down from last week, and also only a few bad webmail sources have made the top ten this time around; for once, most of them are individual IPs.

  • 213.4.149.12 and 213.4.149.11 return from last week and many previous engagements.
  • 70.22.152.139 is in NJABL.
  • 216.244.151.246 was in the SBL, but the listing has been removed since it started banging on the door.
  • 72.244.103.211 is something we consider a dynamic IP, and returns from two weeks ago.
  • 71.140.111.241 kept trying to send us phish spam that had already tripped our spamtraps.
  • 74.15.184.141 kept trying with a bad HELO name.

Connection time rejection stats:

  58982 total
  29047 dynamic IP
  23305 bad or no reverse DNS
   4801 class bl-cbl
    316 qsnews.net
    314 class bl-dsbl
    271 class bl-njabl
    180 class bl-pbl
    176 class bl-sbl
     62 216.75.6.0/24
     37 acceleratebiz.com
     33 class bl-sdul

The funny /24 is 'IBS Hosting Corp' aka web1host.net of Tampa Florida, and we have seen them before. The highest source of SBL rejections this week was 216.244.151.246 with 87 rejections, but its SBL listing has been removed, so the highest source still in the SBL is SBL55450 (24 rejections, a spam source), followed by SBL54907 (23 rejections, a virus spam source).

(Some trawling in news.admin.net-abuse.sightings suggests that we do not want to talk to 216.244.151.246 aka ebizlatin.com even if the SBL no longer lists them, so I have added them to our local blocklist.)

Four of the top 30 most rejected IP addresses were rejected 100 times or more this week, with the leader being 216.213.172.11 (237 rejections for being a qsnews.net machine). Nine of the top 30 are currently in the CBL, seven are currently in bl.spamcop.net, seven are in the PBL, and a grand total of fourteen of the 30 are in zen.spamhaus.org.

(Locally, 14 were rejected for missing or bad reverse DNS, 9 for being dynamic IPs, 3 for being people we don't want to talk to, 2 for being in the DSBL, one for being in the SBL, and one for being in the NJABL.)

This week, Hotmail had:

  • 2 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 48 messages sent to our spamtraps.
  • 6 messages refused because their sender addresses had already hit our spamtraps.
  • 9 messages refused due to their origin IP address (three for being in the CBL, two for being in SBL52368 two for being from Burkina Faso, one for being from SAIX, and one for being in SBL32972, a listing from November 2005).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1557 118 1232 128
Bad bounces 185 141 312 177

The leader sources of bad HELOs this week are 206.51.227.134 (154 rejections), 66.6.97.210 (104 rejections), and 71.29.93.35 (77 rejections). Only one of them used a clearly bogus HELO name; the others just picked unresolvable ones.

Bad bounces were sent to 178 different bad usernames this week; the most popular position is a seven-way tie between indra, JeffereyMoore GradyConklin, GoldieSimon, ElinorPowers, DennisSalazar, and DariusEsparza, each of which had two attempts. This also neatly shows which sort of bad usernames were the most popular overall, although we saw a few odd ones like har-miy. No particular source of bad bounces stands out; contributions came from what are by now all of the usual suspects.

Written on 16 June 2007.
« Why I am in system administration instead of programming
A use for CSS adjacent selectors »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sat Jun 16 23:31:49 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.