Weekly spam summary on August 4th, 2007

August 4, 2007

This week, we:

  • got 111,59 messages from 243 different IP addresses.
  • handled 18,480 sessions from 1,401 different IP addresses.
  • received 393,665 connections from at least 102,514 different IP addresses.
  • hit a highwater of 34 connections being checked at once.

Volume is up quite a lot from last week; also up is how many different IP addresses are trying to send us email. My instant reaction to this is that this is a clear sign of being barraged with spam zombies, especially since we added hardly any extra sessions and they came from slightly fewer different IPs than last week.

Day Connections different IPs
Sunday 52,614 +16,152
Monday 70,367 +19,522
Tuesday 63,613 +15,751
Wednesday 69,844 +14,946
Thursday 54,537 +14,002
Friday 49,958 +13,420
Saturday 32,732 +8,721

In a deviation from the usual pattern, Monday was the volume peak, although Wednesday is very close on connections. The Friday and Saturday numbers make me hope that the storm has gone down, but that's probably blind optimism.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          51643   2686K terra.es
205.152.59.0/24       25471   1155K bellsouth.net
68.230.240.0/23       21810   1059K cox.net
193.178.228.8         14238    683K
213.29.7.0/24          7484    449K centrum.cz
204.202.242.0/24       5322    277K
68.168.78.0/24         5044    242K adelphia.net
208.109.78.0/24        4665    280K
213.228.185.13         4491    269K
66.106.101.58          4347    221K

By contrast, the volume here is about the same as last week. 204.202.242.0/24 (rapidsite.net) and 208.109.78.0/24 (secureserver.net) both got their entire /24s blocked because they kept retrying origin addresses that had tripped our spamtraps from lots of hosts, instead of just one or two.

  • 193.178.228.8 kept trying with an origin address that had tripped our spamtraps.
  • 213.228.185.13 returns from last week.
  • 66.106.101.58 is in SBL57028, a listing for the source of malware/virus spam.

Connection time rejection stats:

 178565 total
  86933 bad or no reverse DNS
  78135 dynamic IP
  10020 class bl-cbl
    871 class bl-dsbl
    622 class bl-pbl
    246 class bl-sbl
    222 qsnews.net
    170 class bl-sdul
     45 class bl-njabl
     39 acceleratebiz.com

Total volume is up from last week, which is no surprise. We rejected 49,730 different IP addresses in total, which is a figure that just occurred to me to gather; this means that roughly half the different IP addresses went away in our greylisting steps.

I have read reports in NANAE that the SORBS DUL list has gone away; however, the figures here suggest that it is still alive and blocking things. Inspecting the hostnames of things that got blocked shows that a number of them seem to be real dynamic IP addresses, too.

The highest source of SBL rejections this week is SBL57113, 'speed tech inc', listed July 30th, with 143 rejections. Following it is SBL48694, returning from last week with 34 rejections, then SBL56968 from last week and SBL30718 (advance fee fraud spam source listed in September of 2005), tied with 10 rejections each. SBL57069, labeled as a spam bot belonging to the ROKSO spammer Yambo Financials, gets an honorable mention with 9 rejections.

Eighteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 86.66.150.90 (1,107 rejections), followed by 88.224.107.250 (952 rejections), 208.11.149.93 (708 rejections), and the rest have less than 500 rejections each.

Eleven of the top 30 are currently in the CBL, four are currently in bl.spamcop.net, twenty one are in the PBL, and a grand total of twenty two are in zen.spamhaus.org.

(Locally, 27 were rejected for bad or missing reverse DNS, two for being qsnews.net, and one for being in the DSBL.)

This week, Hotmail had:

  • 2 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 47 messages sent to our spamtraps.
  • 13 messages refused because their sender addresses had already hit our spamtraps.
  • 7 messages refused due to their origin IP address (four in the CBL, one in SBL51609 (a bunch of open HTTP proxies, listed 24 February), one from the Cote d'Ivoire, and one from Burkina Faso).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 625 126 944 121
Bad bounces 82 51 229 94

The bad HELO numbers provide more evidence that the connection volume surge is mostly from spam zombies. There was no particular leading source of bad HELOs this week; the most active one was still under 50 rejections.

Bad bounces were sent to 67 different bad usernames this week, with the most popular one being RudyKirkpatrick with 10 attempts. That bad username pattern probably is the majority this week, although things like tnishii and michaeljordan keep up the good fight and there were one or two old ex-users. ezweb.ne.jp continues to show up at the top of the list of sources, but this week it was less dominant. The most amusing source of a bad bounce has to be the machine simon.bofh.ms.

Written on 04 August 2007.
« The scope of shell history
Thinking about more text formatting for DWiki »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source.
Search:
Login: Password:
Last modified: Sat Aug 4 23:51:32 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.