== Weekly spam summary on August 4th, 2007 This week, we: * got 111,59 messages from 243 different IP addresses. * handled 18,480 sessions from 1,401 different IP addresses. * received 393,665 connections from at least 102,514 different IP addresses. * hit a highwater of 34 connections being checked at once. Volume is up quite a lot from [[last week SpamSummary-2007-07-28]]; also up is how many different IP addresses are trying to send us email. My instant reaction to this is that this is a clear sign of being barraged with spam zombies, especially since we added hardly any extra sessions and they came from slightly fewer different IPs than [[last week]]. | Day | Connections | different IPs | Sunday | 52,614 | +16,152 | Monday | 70,367 | +19,522 | Tuesday | 63,613 | +15,751 | Wednesday | 69,844 | +14,946 | Thursday | 54,537 | +14,002 | Friday | 49,958 | +13,420 | Saturday | 32,732 | +8,721 In a deviation from the usual pattern, Monday was the volume peak, although Wednesday is very close on connections. The Friday and Saturday numbers make me hope that the storm has gone down, but that's probably blind optimism. Kernel level packet filtering top ten: Host/Mask Packets Bytes 213.4.149.12 51643 2686K terra.es 205.152.59.0/24 25471 1155K bellsouth.net 68.230.240.0/23 21810 1059K cox.net 193.178.228.8 14238 683K 213.29.7.0/24 7484 449K centrum.cz 204.202.242.0/24 5322 277K 68.168.78.0/24 5044 242K adelphia.net 208.109.78.0/24 4665 280K 213.228.185.13 4491 269K 66.106.101.58 4347 221K By contrast, the volume here is about the same as [[last week]]. 204.202.242.0/24 (rapidsite.net) and 208.109.78.0/24 (secureserver.net) both got their entire /24s blocked because they kept retrying origin addresses that had tripped our spamtraps from lots of hosts, instead of just one or two. * 193.178.228.8 kept trying with an origin address that had tripped our spamtraps. * 213.228.185.13 returns from [[last week]]. * 66.106.101.58 is in [[SBL57028 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL57028]], a listing for the source of malware/virus spam. Connection time rejection stats: 178565 total 86933 bad or no reverse DNS 78135 dynamic IP 10020 class bl-cbl 871 class bl-dsbl 622 class bl-pbl 246 class bl-sbl 222 qsnews.net 170 class bl-sdul 45 class bl-njabl 39 acceleratebiz.com Total volume is up from [[last week]], which is no surprise. We rejected 49,730 different IP addresses in total, which is a figure that just occurred to me to gather; this means that roughly half the different IP addresses went away in our greylisting steps. I have read reports in {{AB:NANAE:news.admin.net-abuse.email}} that the SORBS DUL list has gone away; however, the figures here suggest that it is still alive and blocking things. Inspecting the hostnames of things that got blocked shows that a number of them seem to be real dynamic IP addresses, too. The highest source of SBL rejections this week is [[SBL57113 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL57113]], 'speed tech inc', listed July 30th, with 143 rejections. Following it is [[SBL48694 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL48694]], returning from [[last week]] with 34 rejections, then [[SBL56968 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL56968]] from [[last week]] and [[SBL30718 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL30718]] (advance fee fraud spam source listed in ~~September of 2005~~), tied with 10 rejections each. [[SBL57069 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL57069]], labeled as a spam bot belonging to the ROKSO spammer Yambo Financials, gets an honorable mention with 9 rejections. Eighteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 86.66.150.90 (1,107 rejections), followed by 88.224.107.250 (952 rejections), 208.11.149.93 (708 rejections), and the rest have less than 500 rejections each. Eleven of the top 30 are currently in the CBL, four are currently in _bl.spamcop.net_, twenty one are in the PBL, and a grand total of twenty two are in zen.spamhaus.org. (Locally, 27 were rejected for bad or missing reverse DNS, two for being qsnews.net, and one for being in the DSBL.) This week, Hotmail had: * 2 messages accepted. * no messages rejected because they came from non-Hotmail email addresses. * 47 messages sent to our spamtraps. * 13 messages refused because their sender addresses had already hit our spamtraps. * 7 messages refused due to their origin IP address (four in the CBL, one in [[SBL51609 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL51609]] (a bunch of open HTTP proxies, listed 24 February), one from the Cote d'Ivoire, and one from Burkina Faso). And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 625 | 126 | 944 | 121 | Bad bounces | 82 | 51 | 229 | 94 The bad _HELO_ numbers provide more evidence that the connection volume surge is mostly from spam zombies. There was no particular leading source of bad _HELO_s this week; the most active one was still under 50 rejections. Bad bounces were sent to 67 different bad usernames this week, with the most popular one being _RudyKirkpatrick_ with 10 attempts. That bad username pattern probably is the majority this week, although things like _tnishii_ and _michaeljordan_ keep up the good fight and there were one or two old ex-users. ezweb.ne.jp continues to show up at the top of the list of sources, but this week it was less dominant. The most amusing source of a bad bounce has to be the machine _simon.[[bofh http://en.wikipedia.org/wiki/BOFH]].ms_.