Weekly spam summary on August 4th, 2007
This week, we:
- got 111,59 messages from 243 different IP addresses.
- handled 18,480 sessions from 1,401 different IP addresses.
- received 393,665 connections from at least 102,514 different IP addresses.
- hit a highwater of 34 connections being checked at once.
Volume is up quite a lot from last week; also up is how many different IP addresses are trying to send us email. My instant reaction to this is that this is a clear sign of being barraged with spam zombies, especially since we added hardly any extra sessions and they came from slightly fewer different IPs than last week.
Day | Connections | different IPs |
Sunday | 52,614 | +16,152 |
Monday | 70,367 | +19,522 |
Tuesday | 63,613 | +15,751 |
Wednesday | 69,844 | +14,946 |
Thursday | 54,537 | +14,002 |
Friday | 49,958 | +13,420 |
Saturday | 32,732 | +8,721 |
In a deviation from the usual pattern, Monday was the volume peak, although Wednesday is very close on connections. The Friday and Saturday numbers make me hope that the storm has gone down, but that's probably blind optimism.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 213.4.149.12 51643 2686K terra.es 205.152.59.0/24 25471 1155K bellsouth.net 68.230.240.0/23 21810 1059K cox.net 193.178.228.8 14238 683K 213.29.7.0/24 7484 449K centrum.cz 204.202.242.0/24 5322 277K 68.168.78.0/24 5044 242K adelphia.net 208.109.78.0/24 4665 280K 213.228.185.13 4491 269K 66.106.101.58 4347 221K
By contrast, the volume here is about the same as last week. 204.202.242.0/24 (rapidsite.net) and 208.109.78.0/24 (secureserver.net) both got their entire /24s blocked because they kept retrying origin addresses that had tripped our spamtraps from lots of hosts, instead of just one or two.
- 193.178.228.8 kept trying with an origin address that had tripped our spamtraps.
- 213.228.185.13 returns from last week.
- 66.106.101.58 is in SBL57028, a listing for the source of malware/virus spam.
Connection time rejection stats:
178565 total 86933 bad or no reverse DNS 78135 dynamic IP 10020 class bl-cbl 871 class bl-dsbl 622 class bl-pbl 246 class bl-sbl 222 qsnews.net 170 class bl-sdul 45 class bl-njabl 39 acceleratebiz.com
Total volume is up from last week, which is no surprise. We rejected 49,730 different IP addresses in total, which is a figure that just occurred to me to gather; this means that roughly half the different IP addresses went away in our greylisting steps.
I have read reports in NANAE that the SORBS DUL list has gone away; however, the figures here suggest that it is still alive and blocking things. Inspecting the hostnames of things that got blocked shows that a number of them seem to be real dynamic IP addresses, too.
The highest source of SBL rejections this week is SBL57113, 'speed tech inc', listed July 30th, with 143 rejections. Following it is SBL48694, returning from last week with 34 rejections, then SBL56968 from last week and SBL30718 (advance fee fraud spam source listed in September of 2005), tied with 10 rejections each. SBL57069, labeled as a spam bot belonging to the ROKSO spammer Yambo Financials, gets an honorable mention with 9 rejections.
Eighteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 86.66.150.90 (1,107 rejections), followed by 88.224.107.250 (952 rejections), 208.11.149.93 (708 rejections), and the rest have less than 500 rejections each.
Eleven of the top 30 are currently in the CBL, four are currently
in bl.spamcop.net
, twenty one are in the PBL, and a grand total
of twenty two are in zen.spamhaus.org.
(Locally, 27 were rejected for bad or missing reverse DNS, two for being qsnews.net, and one for being in the DSBL.)
This week, Hotmail had:
- 2 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 47 messages sent to our spamtraps.
- 13 messages refused because their sender addresses had already hit our spamtraps.
- 7 messages refused due to their origin IP address (four in the CBL, one in SBL51609 (a bunch of open HTTP proxies, listed 24 February), one from the Cote d'Ivoire, and one from Burkina Faso).
And the final numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
625 | 126 | 944 | 121 |
Bad bounces | 82 | 51 | 229 | 94 |
The bad HELO
numbers provide more evidence that the connection
volume surge is mostly from spam zombies. There was no particular
leading source of bad HELO
s this week; the most active one was
still under 50 rejections.
Bad bounces were sent to 67 different bad usernames this week, with the
most popular one being RudyKirkpatrick
with 10 attempts. That bad
username pattern probably is the majority this week, although things
like tnishii
and michaeljordan
keep up the good fight and there were
one or two old ex-users. ezweb.ne.jp continues to show up at the top of
the list of sources, but this week it was less dominant. The most amusing
source of a bad bounce has to be the machine simon.bofh.ms
.
|
|