Weekly spam summary on July 7th, 2007

July 7, 2007

This week, we:

  • got 9,123 messages from 254 different IP addresses.
  • handled 17,076 sessions from 1,364 different IP addresses.
  • received 264,864 connections from at least 70,143 different IP addresses.
  • hit a highwater of 12 connections being checked at once.

Volume has dropped compared to last week, including total messages, which surprises me a bit. As we can see in the per-day table, spammers definitely didn't take the 4th of July off:

Day Connections different IPs
Sunday 32,966 +11,408
Monday 36,064 +10,472
Tuesday 37,471 +10,684
Wednesday 39,405 +8,540
Thursday 35,548 +8,294
Friday 44,618 +11,289
Saturday 38,792 +9,456

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          45750   2379K
68.230.240.0/23       32348   1571K cox.net
205.152.59.0/24       23367   1059K bellsouth.net
206.123.109.0/27      23141   1272K otcpicknews.com
72.249.13.81          14404    790K
212.175.13.129        11458    687K
203.204.118.61        10494    630K
68.168.78.0/24         9691    465K adelphia.net
213.4.149.68           8924    518K
58.186.248.18          7720    371K

By contrast, volume here is up significantly from last week, with the otcpicknews.com people still valiantly hammering away despite getting nowhere.

  • 213.4.149.12 returns from last week and many weeks before.
  • 72.249.13.81 is beaconresearchnews.com and returns from two weeks ago.
  • 212.175.13.129 kept trying a bad HELO, which we've seen it do before.
  • 203.204.118.61 is SBL49970, and we saw it before two weeks ago.
  • 213.4.149.68 kept trying with a bad HELO.
  • 58.186.248.18 is a Vietnamese IP address with no reverse DNS.

Connection time rejection stats:

 108292 total
  74766 bad or no reverse DNS
  26291 dynamic IP
   5170 class bl-cbl
    408 class bl-pbl
    184 qsnews.net
     99 class bl-dsbl
     92 class bl-sbl
     53 class bl-njabl
     44 class bl-sdul
     42 beaconresearchnews.com

Volume is up significantly from last week, with almost all of it coming from bad reverse DNS issues; the volume jump is even more striking if you look at this compared to two weeks ago.

The highest source of SBL rejections this week was SBL56296 (a compromised PC used for spam) with 17 rejections. After that was SBL53722 (a cavtel.net webmail machine, advance fee fraud) with 15 rejections and SBL49970 with 14 rejections.

Twelve of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 222.123.154.220 (412 rejections), followed by 121.46.216.126 (391 rejections), 58.186.248.18 (307 rejections), and 87.217.143.79 (224 rejections, on the CBL). All but the last were rejected for bad or missing reverse DNS.

Sixteen of the top 30 are currently in the CBL, three are currently in bl.spamcop.net, twelve are in the PBL, and a grand total of twenty are in zen.spamhaus.org.

(Locally, 20 were rejected for bad or missing reverse DNS, 7 for being dynamic IP addresses, two for being people we don't want to talk to, and one for being in the CBL.)

This week, Hotmail managed:

  • 3 messages accepted.
  • 1 message rejected because it came from a non-Hotmail email address (a msn.com address, as it happens).
  • 50 messages sent to our spamtraps.
  • 3 messages refused because their sender addresses had already hit our spamtraps.
  • 3 messages refused due to their origin IP address (one in the CBL and two from Burkina Faso).
what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 825 99 4120 240
Bad bounces 222 149 688 527

That's certainly a nice improvement from last week. The leading source of bad HELOs this week was 67.52.59.170 with 86 attempts.

Bad bounces were sent to 154 different bad usernames this week, with the most popular one being qp3902 with 32 attempts. The most popular pattern for bad usernames is probably things like RandyGallagher, but we also saw bounce attempts to various others, including things like narunaru-gogo, jmhn, and the ever-popular noreply, along with some ex-users. I will call ezweb.ne.jp the most popular source of bounces, although it's hard to be completely sure; some people send bounces to us from only a few IPs, while others smear them over big clusters of machines.

Written on 07 July 2007.
« What the flags on DNS query responses mean
A suggestion for HMAC signature construction »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Jul 7 23:47:38 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.