Weekly spam summary on August 25th, 2007
This week, we:
- got 10,965 messages from 236 different IP addresses.
- handled 18,098 sessions from 1,724 different IP addresses.
- received 376,478 connections from at least 114,062 different IP addresses.
- hit a highwater of 18 connections being checked at once.
Things are down a bit from last week, but we are still being hammered by spammers, mostly using compromised zombies. The per day table shows the usual fluctuations, and I may have to take back what I said last week about spammers taking the weekend off:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 220.127.116.11 29344 1526K terra.es 18.104.22.168/27 26590 1465K otcpicknews.com 22.214.171.124/23 23006 1117K cox.net 126.96.36.199 16174 970K 188.8.131.52 13962 838K 184.108.40.206/24 13270 796K centrum.cz 220.127.116.11 12254 675K 18.104.22.168 9862 526K 22.214.171.124/24 7506 360K adelphia.net 126.96.36.199/24 5940 332K charter.net
Total volume is up from last week, but that may be because I got aggressive about throwing /24s of advance fee fraud webmail spam sources into the kernel blocks instead of blocking each outbound SMTP gateway one by one. On the other hand, in the top 10 that only explains charter.net; all the other subnets are perennial regulars.
- 188.8.131.52 is in a domain that has sent us (too much) phish spam.
- 184.108.40.206 returns from last week, still in SBL52705 and all.
- 220.127.116.11 is beaconreasearchnews.com and returns from July.
- 18.104.22.168 has bad reverse DNS.
Connection time rejection stats:
177280 total 91953 dynamic IP 73454 bad or no reverse DNS 8910 class bl-cbl 516 qsnews.net 378 class bl-pbl 304 class bl-sbl 293 class bl-sdul 253 class bl-dsbl 128 dartmail.net 38 class bl-njabl 33 officepubs.com
The drastic drop in PBL rejections may partly be because we lost access to the Spamhaus DNSBLs for a few days this week (and may lose access to them for longer, depending on how things shake out). I'd say the same thing about the SBL, but it is actually up somewhat this week.
The highest source of SBL rejections this week is SBL57946 with 263 rejections; Spamhaus lists this as a /28 of 'spam sources', with the record created August 18th. The next up is SBL57804, returning from last week but with only 9 rejections this time around; this may partly be because we have more or less explicit blocks for that network now.
Eighteen of the top 30 most rejected IP addresses were rejected 100
times or more this week. The leader is 22.214.171.124 (1,940 rejections),
followed by 126.96.36.199 (1,215 rejections) and 188.8.131.52 (565
rejections). Thirteen of the top 30 are currently in the CBL, twelve are
bl.spamcop.net, twenty six are in the PBL, and a grand
total of twenty nine are in zen.spamhaus.org; the one IP address out of
the top 30 that is not in zen.spamhaus.org is a qsnews.net machine.
(Locally, 15 were rejected for bad or missing reverse DNS, 13 for being dynamic IP addresses, 1 for being qsnews.net, and 1 for being in the CBL.)
This week, Hotmail had:
- 2 messages accepted.
- 1 messages rejected because it came from a non-Hotmail email address, in this case a msn.com address.
- 33 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 2 messages refused due to their origin IP address (one from saix.net, one from the Cote d'Ivoire).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
There was no particularly leading source of bad
HELOs this week;
the highest were 184.108.40.206 (58 attempts) and 220.127.116.11
(51 attempts), both with
Bad bounces were sent to 152 different bad usernames this week, with the
most popular one being
SHOUGEE with 7 attempts. Typical bad usernames
and patterns included
sdasa285; I'm not going to try to pick a winner among the patterns
this week. The most disheartening source of bad username bounces has to
be two from