Weekly spam summary on July 28th, 2007

July 28, 2007

This week, we:

  • got 10,691 messages from 231 different IP addresses.
  • handled 17,807 sessions from 1,456 different IP addresses.
  • received 301,407 connections from at least 76,444 different IP addresses.
  • hit a highwater of 11 connections being checked at once.

Connection volume is up slightly from last week, but at this point 10,000 connections a week more or less is probably just random noise.

Day Connections different IPs
Sunday 35,837 +11,632
Monday 46,617 +11,770
Tuesday 52,564 +12,840
Wednesday 52,049 +10,733
Thursday 37,866 +8,904
Friday 41,885 +10,889
Saturday 34,589 +9,676

Thursday is down compared to last week, but everything else makes up for it.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       39187   1903K cox.net
213.4.149.12          32525   1691K terra.es
205.152.59.0/24       19070    865K bellsouth.net
68.167.174.247        13732    642K
213.29.7.0/24          9289    557K centrum.cz
213.228.185.13         8146    489K
68.168.78.0/24         6299    302K adelphia.net
70.22.148.61           5496    257K
190.11.14.26           3595    173K
70.242.189.33          3441    165K

Overall volume is down compared to last week.

  • 68.167.174.247 and 70.242.189.33 are things we consider dynamic IP addresses.
  • 213.228.185.13 is in the DUL (and has a very generic hostname, and is currently in bl.spamcop.net).
  • 70.22.148.61 kept trying with a bad HELO.
  • 190.11.14.26 is a LACNIC IP address with bad reverse DNS.

This is the first week in a while where none of the top ten individual IP addresses are ones we've seen before (apart from the perennial 213.4.149.12).

Connection time rejection stats:

 123178 total
  58011 bad or no reverse DNS
  55387 dynamic IP
   6386 class bl-cbl
    477 qsnews.net
    335 class bl-pbl
    203 class bl-dsbl
    118 class bl-sbl
    116 class bl-sdul
    113 dartmail.net
     42 class bl-njabl
     34 acceleratebiz.com

There's quite a jump in the 'dynamic IP' category this week; it doesn't seem to have come from any particular ISP or the like, so we seem to have been getting hit more in general.

The highest source of SBL rejections this week is the same as last week: SBL48694, with 31 rejections this week. Following them is SBL56968 (13 rejections), SBL43966 (12 rejections), SBL22762 (11 rejections), and SBL57028 (10 rejections).

An eye-opening twenty two of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 122.161.14.99 (with 2,498 rejections), followed by 195.238.6.228 (1,266 rejections), 122.161.64.143 (1,068 rejections), 122.254.189.225 (776 rejections), and 122.161.32.205 (536 rejections).

Fifteen of the top 30 are currently in the CBL, eight are currently in bl.spamcop.net, twenty four are in the PBL, and a grand total of twenty five are in zen.spamhaus.org.

(Locally, 18 were rejected for bad or missing reverse DNS, 10 for being dynamic IPs, one for being qsnews.net, and one for being someone we don't want to talk to.)

This week, Hotmail had:

  • no messages accepted.
  • 3 messages rejected because they came from non-Hotmail email addresses.
  • 47 messages sent to our spamtraps.
  • 1 message refused because its sender address had already hit our spamtraps.
  • 3 messages refused due to their origin IP address (one from saix.net, one from the Cote d'Ivoire, and one from Burkina Faso).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 944 121 1120 113
Bad bounces 229 94 350 210

The leading source of bad HELO attempts this week is 202.155.205.242 (109 attempts), followed by 207.114.206.180 (72 attempts). For once both of these were trying with plausible looking hostnames, instead of things ending in .local.

Bad bounces were sent to 200 different bad usernames this week, with the most popular one being mayumi0624 with 4 attempts. Bad usernames like TomasPryor seem to be falling out of favour, being supplanted by things like alenn187. Odd bad usernames of the week: 69-69-69, 0bp38c4r1fr1f3h, 35671615, and you-freak. The dominant bad bounce source this week seems to be Japan and especially ezweb.ne.jp, just like last week.

Written on 28 July 2007.
« How big is the Slashdot effect?
My standard for clear idioms in personal code »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sat Jul 28 23:29:11 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.