Weekly spam summary on July 21st, 2007
This week, we:
- got 12,549 messages from 259 different IP addresses.
- handled 19,129 sessions from 1,520 different IP addresses.
- received 291,606 connections from at least 79,247 different IP addresses.
- hit a highwater of 8 connections being checked at once.
Connection volume is up pretty noticeably from last week. Connection volume fluctuated over the map over the week:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168 43855 2281K terra.es 22.214.171.124/23 39764 1931K cox.net 126.96.36.199 22971 1103K 188.8.131.52/24 21039 954K bellsouth.net 184.108.40.206/24 18151 1089K centrum.cz 220.127.116.11/24 10680 513K 18.104.22.168 9065 544K 22.214.171.124 8000 439K 126.96.36.199/24 3162 147K insightbb.com 188.8.131.52 3129 172K
Volume is up from last week, although not hugely, and it is more unevenly distributed; the top is higher and the bottom is lower. We have insightbb.com blocked as a source of webmail based advance fee fraud, like the other /24s on the list.
- 184.108.40.206 is a skynet.be/belgacom.be machine; we haven't talked to them for some time for various reasons.
- 220.127.116.11 returns from earlier this month
and several times before, still trying a bad
- 18.104.22.168 is an APNIC IP address with bad reverse DNS.
- 22.214.171.124 is still a qsnews.net machine, just as it was last week.
I continue to be impressed with how qsnews.net is not on various DNS blocklists; I have no idea how they manage it.
Connection time rejection stats:
115523 total 68833 bad or no reverse DNS 38937 dynamic IP 6058 class bl-cbl 263 class bl-pbl 192 qsnews.net 93 class bl-sbl 75 class bl-dsbl 72 reliablehosting.com 24 acceleratebiz.com 9 class bl-njabl 2 class bl-sdul
It is hard to contain myself about the amazing coincidence that nine different acceleratebiz.com IPs, each with a different domain name, all tried to send us email this week (sometimes multiple times). I'm sure it's also a coincidence that most of them appear to have the same do-nothing website, too.
The highest source of SBL rejections this week was SBL48694 (the artists-networkinfo.com known spammers, listed 24 June) with 35 rejections. Second place goes to SBL53722 (cavtel.net, advance fee fraud spam, listed 19 April) with 15 rejections.
Ten of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 126.96.36.199 (652 rejections), with (dis)honorable mentions for 188.8.131.52 (330 rejections), and 184.108.40.206 (297 rejections). All got rejected for having bad or missing reverse DNS.
Sixteen of the top 30 are currently in the CBL, two are currently
bl.spamcop.net, thirteen are in the PBL, and a grand total of
twenty three are in zen.spamhaus.org.
(Locally, 24 were rejected for bad or missing reverse DNS, four for being people we don't want to talk to, and two for being classified as dynamic IPs.)
This week Hotmail had:
- 6 messages accepted; I'm reasonably sure that at least three of them were spam.
- no messages rejected because they came from non-Hotmail email addresses.
- 39 messages sent to our spamtraps.
- 1 message refused because its sender address had already hit our spamtraps.
- 4 messages refused due to their origin IP address (one in the CBL, two from the Cote d'Ivoire, and one from a South African wireless ISP).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
This week is distinctly worse than last week. The leading
sources of bad
HELO attempts this week were 220.127.116.11 (118
attempts) and 18.104.22.168 (105 attempts); both were using names that
Bad bounces were sent to 318 different bad usernames this week, with
the most popular one being a tie between
with 4 attempts each; last week's
qp3902 made one appearance. I
am not going to try to assess what bad user name pattern was the most
prevalent; interesting bad usernames included the minimalistic
405, the interesting
0ue38815349020h. A number were sent to ex-users.
The dominant bad bounce source this week seems to be Japan, especially ezweb.ne.jp; it is awfully tempting to block them entirely, since they haven't sent us any actual email in at least the past month and they keep doing this. But if I went down that road, there are any number of ISPs that would make the list.