Weekly spam summary on June 23rd, 2007

June 23, 2007

This week, we:

  • got 10,190 messages from 259 different IP addresses.
  • handled 18,093 sessions from 1,527 different IP addresses.
  • received 223,304 connections from at least 76,627 different IP addresses.
  • hit a highwater of 10 connections being checked at once.

This is up a bit from last week in both connection volume and the number of different IPs trying to talk to us.

Day Connections different IPs
Sunday 26,556 +10,547
Monday 36,931 +12,843
Tuesday 33,743 +12,127
Wednesday 40,667 +13,267
Thursday 28,317 +9,957
Friday 31,912 +9,897
Saturday 25,178 +7,989

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes       32271   1566K cox.net          21370   1109K       21336    966K bellsouth.net        12143    581K adelphia.net      11948    662K           9476    528K         8723    519K           4182    217K         4062    190K       3511    169K tin.it

Volume is about the same as last week. The netblock is blocked because of otcpicknews.com et al; I put them in the kernel blocks after I got tired of them hammering on us.

  • and return from last week and many previous appearances.
  • is beaconresearchnews.com. We have decided that we don't want to talk to them.
  • aka 50-off.com.tw is in SBL49970, which dates from 11 January 2007.
  • is something we consider a dynamic IP address.

Connection time rejection stats:

  65450 total
  29813 dynamic IP
  28601 bad or no reverse DNS
   5249 class bl-cbl
    315 qsnews.net
    232 class bl-pbl
    142 class bl-sbl
    141 beaconresearchnews.com
    125 class bl-dsbl
    120 dartmail.net
     85 class bl-sdul
     43 aka IBS Hosting Corp
     37 class bl-njabl

The highest source of SBL rejections this week was SBL55809 with 33 rejections, followed by SBL50728 with 26 and SBL49970 with 23 rejections. All of them are listed as spam sources, with various degrees of involvement in the spam imputed in the SBL listings.

Nine of the top 30 most rejected IP addresses were rejected 100 times or more; the grand champion is with 1,840 rejections (for having no reverse DNS). Dishonorable mentions must also go to (716 rejections, bad reverse DNS and in the CBL and PBL) and (360 rejections, bad reverse DNS, merely in the PBL). Six of the top 30 are currently in the CBL, eleven are currently in bl.spamcop.net, thirteen are in the PBL, and a grand total of 17 are in zen.spamhaus.org.

(Locally, 16 were rejected for bad or missing reverse DNS, 9 for being dynamic IPs, three for being people we didn't want to talk to, and one each for being in the PBL and the DSBL.)

This week, Hotmail had:

  • 4 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 40 messages sent to our spamtraps.
  • 3 messages refused because their sender addresses had already hit our spamtraps.
  • 4 messages refused due to their origin IP address (one in the CBL, one in SBL51849, one from Burkina Faso, and one from a South African wireless company).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1072 136 1557 118
Bad bounces 327 194 185 141

The leading source of bad HELOs this week was (111 rejections), followed by (81 rejections) and (77 rejections). The latter two used HELO names ending in .local, as did any number of other lower-scoring people.

Bad bounces were sent to 262 different bad usernames, with the most popular one being VirginiaPerkins with 10 attempts. This bad username pattern dominated the overall most popular pattern, with only a few other patterns showing up (including a few old ex-users). Bounces came from all over, with no particular large single source that I can pick out right now.

Written on 23 June 2007.
« One reason why the Debian package format is not my favorite
Painless long term storage management without disturbing users »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Jun 23 23:44:44 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.