Weekly spam summary on August 18th, 2007
This week, we:
- got 12,100 messages from 261 different IP addresses.
- handled 22,629 sessions from 2,180 different IP addresses.
- received 434,144 connections from at least 121,837 different IP addresses.
- hit a highwater of 31 connections being checked at once.
So much for any chance that volume would go down compared to last week. I believe that the higher session volume is at least partly because of compromised spam zombies getting past my relatively weak greylisting precautions.
| Day | Connections | different IPs |
| Sunday | 40,431 | +15,128 |
| Monday | 65,293 | +17,229 |
| Tuesday | 77,288 | +17,074 |
| Wednesday | 70,746 | +20,302 |
| Thursday | 61,045 | +17,116 |
| Friday | 69,455 | +18,689 |
| Saturday | 49,886 | +16,299 |
The peak day may be migrating back to Wednesday, but really, all that seems reasonably apparent is that some spammers take weekends off.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 213.4.149.12 25371 1319K terra.es 68.230.240.0/23 19247 935K cox.net 213.29.7.0/24 17643 1059K centrum.cz 68.168.78.0/24 11520 553K adelphia.net 213.4.149.68 8350 484K 195.238.6.228 7739 371K 61.128.0.0/10 6192 342K China 85.114.132.50 5932 356K 62.94.0.34 4727 212K 200.63.215.74 4568 219K
Volume here is down from last week, and not as many of the usual open webmail suspects have shown up.
- 213.4.149.68 kept trying with a bad
HELO; we saw it before in early July. - 195.238.6.228 returns from late July.
- 85.114.132.50 is SBL52705, although we don't talk to fastwebserver.de anyways.
- 62.94.0.34 is another place we don't talk to because of open webmail; it previously appeared all the way back in December of 2006.
- 200.63.215.74 has bad reverse DNS.
Connection time rejection stats:
203098 total
96920 bad or no reverse DNS
91776 dynamic IP
10786 class bl-cbl
1121 class bl-pbl
264 class bl-sdul
264 class bl-dsbl
213 class bl-sbl
154 dartmail.net
48 acceleratebiz.com
46 officepubs.com
45 67.98.250.0/24
19 class bl-njabl
This is quite a volume increase over last week, almost all of it in the top four reasons. The highest source of SBL rejections this week is SBL57804, a /18 listed as a 'spam source range', with 66 rejections. Following it is SBL49824 )a /27 listed 27 January) with 21 rejections, and SBL52705 (85.114.132.50) with 19 rejections, and SBL55920 (another advance fee fraud spam source) with 17 rejections.
Eighteen of the top 30 most rejected IP addresses were rejected 100 times
or more this week. The leader is 200.63.215.74 (2,259 rejections), followed
by 201.9.243.8 (644 rejections) and 190.65.82.107 (572 rejections).
Seventeen of the top 30 are currently in the CBL, seven are currently in
bl.spamcop.net, twenty are in the PBL, and a grand total of 26 are
in zen.spamhaus.org.
(Locally, 19 were rejected for bad or missing reverse DNS, 10 for being dynamic IP addresses, and one for being in the CBL.)
This week, Hotmail had:
- 2 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 26 messages sent to our spamtraps.
- 1 messages refused because its sender address had already hit our spamtraps.
- 4 messages refused due to their origin IP address (two in the CBL, one from Ghana, and one from the Cote d'Ivoire).
And the final numbers:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
1782 | 232 | 1874 | 176 |
| Bad bounces | 339 | 268 | 692 | 487 |
The leading source of bad HELO attempts this week is 212.15.28.2
(87 attempts), followed by 67.113.162.150 and 64.80.183.134 at 67
attempts each.
Bad bounces were sent to 297 different bad usernames this week, with
the most popular one being RalphPlatt with 7 attempts. That bad
username pattern staged a resurgence this week, although it is still
fighting it out with various other ones like robachan and p886.
Interestingly, I am now seeing some names like kostaqHovern with a
capital shoved in the middle of the username.
|
|