Weekly spam summary on August 18th, 2007
This week, we:
- got 12,100 messages from 261 different IP addresses.
- handled 22,629 sessions from 2,180 different IP addresses.
- received 434,144 connections from at least 121,837 different IP addresses.
- hit a highwater of 31 connections being checked at once.
So much for any chance that volume would go down compared to last week. I believe that the higher session volume is at least partly because of compromised spam zombies getting past my relatively weak greylisting precautions.
The peak day may be migrating back to Wednesday, but really, all that seems reasonably apparent is that some spammers take weekends off.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 25371 1319K terra.es 188.8.131.52/23 19247 935K cox.net 184.108.40.206/24 17643 1059K centrum.cz 220.127.116.11/24 11520 553K adelphia.net 18.104.22.168 8350 484K 22.214.171.124 7739 371K 126.96.36.199/10 6192 342K China 188.8.131.52 5932 356K 184.108.40.206 4727 212K 220.127.116.11 4568 219K
Volume here is down from last week, and not as many of the usual open webmail suspects have shown up.
- 18.104.22.168 kept trying with a bad
HELO; we saw it before in early July.
- 22.214.171.124 returns from late July.
- 126.96.36.199 is SBL52705, although we don't talk to fastwebserver.de anyways.
- 188.8.131.52 is another place we don't talk to because of open webmail; it previously appeared all the way back in December of 2006.
- 184.108.40.206 has bad reverse DNS.
Connection time rejection stats:
203098 total 96920 bad or no reverse DNS 91776 dynamic IP 10786 class bl-cbl 1121 class bl-pbl 264 class bl-sdul 264 class bl-dsbl 213 class bl-sbl 154 dartmail.net 48 acceleratebiz.com 46 officepubs.com 45 220.127.116.11/24 19 class bl-njabl
This is quite a volume increase over last week, almost all of it in the top four reasons. The highest source of SBL rejections this week is SBL57804, a /18 listed as a 'spam source range', with 66 rejections. Following it is SBL49824 )a /27 listed 27 January) with 21 rejections, and SBL52705 (18.104.22.168) with 19 rejections, and SBL55920 (another advance fee fraud spam source) with 17 rejections.
Eighteen of the top 30 most rejected IP addresses were rejected 100 times
or more this week. The leader is 22.214.171.124 (2,259 rejections), followed
by 126.96.36.199 (644 rejections) and 188.8.131.52 (572 rejections).
Seventeen of the top 30 are currently in the CBL, seven are currently in
bl.spamcop.net, twenty are in the PBL, and a grand total of 26 are
(Locally, 19 were rejected for bad or missing reverse DNS, 10 for being dynamic IP addresses, and one for being in the CBL.)
This week, Hotmail had:
- 2 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 26 messages sent to our spamtraps.
- 1 messages refused because its sender address had already hit our spamtraps.
- 4 messages refused due to their origin IP address (two in the CBL, one from Ghana, and one from the Cote d'Ivoire).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading source of bad
HELO attempts this week is 184.108.40.206
(87 attempts), followed by 220.127.116.11 and 18.104.22.168 at 67
Bad bounces were sent to 297 different bad usernames this week, with
the most popular one being
RalphPlatt with 7 attempts. That bad
username pattern staged a resurgence this week, although it is still
fighting it out with various other ones like
Interestingly, I am now seeing some names like
kostaqHovern with a
capital shoved in the middle of the username.