Weekly spam summary on July 14th, 2007
Our SMTP frontend died (twice) around 8am on Friday morning, so some of the stats for this are partial stats and some of them are missing about two hours of data. That said, this week we:
- got 10,583 messages from 249 different IP addresses.
- handled 17,948 sessions from 1,258 different IP addresses.
- received 257,246 connections from over 50,000 different IP addresses.
- hit a highwater of 7 connections being checked at once.
This is pretty similar to last week. I've managed to reconstruct more or less the per day information:
(The one caution is that the 'different IPs' information is not reliable for Friday and Saturday, since it effectively starts from scratch.)
I continue to have no idea why spammers like Wednesday, but clearly they do.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199/23 35913 1744K cox.net 188.8.131.52 27599 1435K terra.es 184.108.40.206/24 19880 901K bellsouth.net 220.127.116.11 18546 890K 18.104.22.168/24 11509 691K centrum.cz 22.214.171.124 10155 477K 126.96.36.199 6896 317K 188.8.131.52/24 5478 263K adelphia.net 184.108.40.206 4443 204K 220.127.116.11 4195 252K
Volume is down from last week.
- 18.104.22.168 returns from last week and many previous appearances, and I'm probably going to stop explicitly noting it since it doesn't seem like it's going to go away any time soon.
- 22.214.171.124 is on the CBL.
- 126.96.36.199 is a covad.net address that we consider dynamic, and returns from the end of June.
- 188.8.131.52, 184.108.40.206, and 220.127.116.11 all kept trying with
Connection time rejection stats:
104296 total 68773 bad or no reverse DNS 29517 dynamic IP 4092 class bl-cbl 492 qsnews.net 246 class bl-pbl 103 class bl-dsbl 80 class bl-sbl 23 class bl-njabl 4 class bl-sdul
The highest source of SBL rejections this week was a tie between SBL48694 (known spam source) and SBL44995 (hinet.net mail hosts for the ROKSO listed 'Mei Lung Handicrafts / Chang Wen-Sheng') with thirteen each. Following them is SBL56453 (0catch.com, listed as a repeat advance fee fraud spam source) with seven.
Twelve of the top 30 most rejected IP addresses were rejected 100 times or more this week. Rather than write them out, I'm going to make a table:
With the exception of 18.104.22.168, all of these were rejected for bad
or missing reverse DNS, although almost all are in the CBL and/or the
PBL. In general, fifteen of the top 30 are currently in the CBL, four
are currently in
bl.spamcop.net, seventeen are currently in the PBL,
and a grand total of 25 are in zen.spamhaus.org.
(Locally, 27 were rejected for bad or missing reverse DNS, two for being qsnews.net, and one for being a dynamic IP address.)
This week, Hotmail had:
- 6 messages accepted, and I am pretty sure that most of them were spam.
- no messages rejected because they came from non-Hotmail email addresses.
- 47 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 6 messages refused due to their origin IP address (two in the CBL, two in SBL52368, one from a United Arab Emirates satellite ISP provider, and one from the Cote d'Ivoire).
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
There is no really leading source of bad
HELOs this week, by my
standards (I draw the line somewhere around 50 to 75 rejections;
no single one got over 45 this week).
Bad bounces were sent to 90 different bad usernames this week, with the
most popular one being
qp3902 with 82 attempts (the same as last
week); the second most popular was actually an internal error, so I'm
not going to list it (without it, we actually only had 181 bad bounces
this week). The
NoemiDotson bad username pattern is still popular,
but it's joined by things like
d21terrano, and a number
The biggest single source of bad bounces was 22.214.171.124, with other contributions from all over (including some hinet.net machines; clearly the SBL hasn't listed all of their mail machines yet).