Weekly spam summary on June 23rd, 2007
This week, we:
- got 10,190 messages from 259 different IP addresses.
- handled 18,093 sessions from 1,527 different IP addresses.
- received 223,304 connections from at least 76,627 different IP addresses.
- hit a highwater of 10 connections being checked at once.
This is up a bit from last week in both connection volume and the number of different IPs trying to talk to us.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 22.214.171.124/23 32271 1566K cox.net 126.96.36.199 21370 1109K 188.8.131.52/24 21336 966K bellsouth.net 184.108.40.206/24 12143 581K adelphia.net 220.127.116.11/27 11948 662K 18.104.22.168 9476 528K 22.214.171.124 8723 519K 126.96.36.199 4182 217K 188.8.131.52 4062 190K 184.108.40.206/24 3511 169K tin.it
Volume is about the same as last week. The 220.127.116.11/27 netblock is blocked because of otcpicknews.com et al; I put them in the kernel blocks after I got tired of them hammering on us.
- 18.104.22.168 and 22.214.171.124 return from last week and many previous appearances.
- 126.96.36.199 is beaconresearchnews.com. We have decided that we don't want to talk to them.
- 188.8.131.52 aka 50-off.com.tw is in SBL49970, which dates from 11 January 2007.
- 184.108.40.206 is something we consider a dynamic IP address.
Connection time rejection stats:
65450 total 29813 dynamic IP 28601 bad or no reverse DNS 5249 class bl-cbl 315 qsnews.net 232 class bl-pbl 142 class bl-sbl 141 beaconresearchnews.com 125 class bl-dsbl 120 dartmail.net 85 class bl-sdul 43 220.127.116.11/24 aka IBS Hosting Corp 37 class bl-njabl
The highest source of SBL rejections this week was SBL55809 with 33 rejections, followed by SBL50728 with 26 and SBL49970 with 23 rejections. All of them are listed as spam sources, with various degrees of involvement in the spam imputed in the SBL listings.
Nine of the top 30 most rejected IP addresses were rejected 100 times
or more; the grand champion is 18.104.22.168 with 1,840 rejections
(for having no reverse DNS). Dishonorable mentions must also go to
22.214.171.124 (716 rejections, bad reverse DNS and in the CBL and PBL)
and 126.96.36.199 (360 rejections, bad reverse DNS, merely in the PBL).
Six of the top 30 are currently in the CBL, eleven are currently in
bl.spamcop.net, thirteen are in the PBL, and a grand total of 17
are in zen.spamhaus.org.
(Locally, 16 were rejected for bad or missing reverse DNS, 9 for being dynamic IPs, three for being people we didn't want to talk to, and one each for being in the PBL and the DSBL.)
This week, Hotmail had:
- 4 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 40 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 4 messages refused due to their origin IP address (one in the CBL, one in SBL51849, one from Burkina Faso, and one from a South African wireless company).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading source of bad
HELOs this week was 188.8.131.52 (111
rejections), followed by 184.108.40.206 (81 rejections) and
220.127.116.11 (77 rejections). The latter two used
.local, as did any number of other lower-scoring people.
Bad bounces were sent to 262 different bad usernames, with the
most popular one being
VirginiaPerkins with 10 attempts. This
bad username pattern dominated the overall most popular pattern,
with only a few other patterns showing up (including a few old
ex-users). Bounces came from all over, with no particular large
single source that I can pick out right now.