Weekly spam summary on June 23rd, 2007
This week, we:
- got 10,190 messages from 259 different IP addresses.
- handled 18,093 sessions from 1,527 different IP addresses.
- received 223,304 connections from at least 76,627 different IP addresses.
- hit a highwater of 10 connections being checked at once.
This is up a bit from last week in both connection volume and the number of different IPs trying to talk to us.
| Day | Connections | different IPs |
| Sunday | 26,556 | +10,547 |
| Monday | 36,931 | +12,843 |
| Tuesday | 33,743 | +12,127 |
| Wednesday | 40,667 | +13,267 |
| Thursday | 28,317 | +9,957 |
| Friday | 31,912 | +9,897 |
| Saturday | 25,178 | +7,989 |
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 68.230.240.0/23 32271 1566K cox.net 213.4.149.12 21370 1109K 205.152.59.0/24 21336 966K bellsouth.net 68.168.78.0/24 12143 581K adelphia.net 206.123.109.0/27 11948 662K 72.249.13.81 9476 528K 203.204.118.61 8723 519K 213.4.149.11 4182 217K 68.167.174.246 4062 190K 212.216.176.0/24 3511 169K tin.it
Volume is about the same as last week. The 206.123.109.0/27 netblock is blocked because of otcpicknews.com et al; I put them in the kernel blocks after I got tired of them hammering on us.
- 213.4.149.12 and 213.4.149.11 return from last week and many previous appearances.
- 72.249.13.81 is beaconresearchnews.com. We have decided that we don't want to talk to them.
- 203.204.118.61 aka 50-off.com.tw is in SBL49970, which dates from 11 January 2007.
- 68.167.174.246 is something we consider a dynamic IP address.
Connection time rejection stats:
65450 total
29813 dynamic IP
28601 bad or no reverse DNS
5249 class bl-cbl
315 qsnews.net
232 class bl-pbl
142 class bl-sbl
141 beaconresearchnews.com
125 class bl-dsbl
120 dartmail.net
85 class bl-sdul
43 216.75.6.0/24 aka IBS Hosting Corp
37 class bl-njabl
The highest source of SBL rejections this week was SBL55809 with 33 rejections, followed by SBL50728 with 26 and SBL49970 with 23 rejections. All of them are listed as spam sources, with various degrees of involvement in the spam imputed in the SBL listings.
Nine of the top 30 most rejected IP addresses were rejected 100 times
or more; the grand champion is 203.156.70.57 with 1,840 rejections
(for having no reverse DNS). Dishonorable mentions must also go to
189.171.181.218 (716 rejections, bad reverse DNS and in the CBL and PBL)
and 201.79.147.166 (360 rejections, bad reverse DNS, merely in the PBL).
Six of the top 30 are currently in the CBL, eleven are currently in
bl.spamcop.net, thirteen are in the PBL, and a grand total of 17
are in zen.spamhaus.org.
(Locally, 16 were rejected for bad or missing reverse DNS, 9 for being dynamic IPs, three for being people we didn't want to talk to, and one each for being in the PBL and the DSBL.)
This week, Hotmail had:
- 4 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 40 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 4 messages refused due to their origin IP address (one in the CBL, one in SBL51849, one from Burkina Faso, and one from a South African wireless company).
And the final numbers:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
1072 | 136 | 1557 | 118 |
| Bad bounces | 327 | 194 | 185 | 141 |
The leading source of bad HELOs this week was 70.147.170.18 (111
rejections), followed by 207.30.12.132 (81 rejections) and
69.15.68.98 (77 rejections). The latter two used HELO names
ending in .local, as did any number of other lower-scoring people.
Bad bounces were sent to 262 different bad usernames, with the
most popular one being VirginiaPerkins with 10 attempts. This
bad username pattern dominated the overall most popular pattern,
with only a few other patterns showing up (including a few old
ex-users). Bounces came from all over, with no particular large
single source that I can pick out right now.
|
|