Weekly spam summary on August 25th, 2007

August 25, 2007

This week, we:

  • got 10,965 messages from 236 different IP addresses.
  • handled 18,098 sessions from 1,724 different IP addresses.
  • received 376,478 connections from at least 114,062 different IP addresses.
  • hit a highwater of 18 connections being checked at once.

Things are down a bit from last week, but we are still being hammered by spammers, mostly using compromised zombies. The per day table shows the usual fluctuations, and I may have to take back what I said last week about spammers taking the weekend off:

Day Connections different IPs
Sunday 60,834 +21,210
Monday 54,929 +17,802
Tuesday 66,120 +18,975
Wednesday 46,149 +12,105
Thursday 51,054 +13,753
Friday 52,125 +16,444
Saturday 45,267 +13,773

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          29344   1526K terra.es
206.123.109.0/27      26590   1465K otcpicknews.com
68.230.240.0/23       23006   1117K cox.net
62.75.224.83          16174    970K
85.114.132.50         13962    838K
213.29.7.0/24         13270    796K centrum.cz
72.249.13.81          12254    675K
213.4.149.241          9862    526K
68.168.78.0/24         7506    360K adelphia.net
209.225.8.0/24         5940    332K charter.net

Total volume is up from last week, but that may be because I got aggressive about throwing /24s of advance fee fraud webmail spam sources into the kernel blocks instead of blocking each outbound SMTP gateway one by one. On the other hand, in the top 10 that only explains charter.net; all the other subnets are perennial regulars.

  • 62.75.224.83 is in a domain that has sent us (too much) phish spam.
  • 85.114.132.50 returns from last week, still in SBL52705 and all.
  • 72.249.13.81 is beaconreasearchnews.com and returns from July.
  • 213.4.149.241 has bad reverse DNS.

Connection time rejection stats:

 177280 total
  91953 dynamic IP
  73454 bad or no reverse DNS
   8910 class bl-cbl
    516 qsnews.net
    378 class bl-pbl
    304 class bl-sbl
    293 class bl-sdul
    253 class bl-dsbl
    128 dartmail.net
     38 class bl-njabl
     33 officepubs.com

The drastic drop in PBL rejections may partly be because we lost access to the Spamhaus DNSBLs for a few days this week (and may lose access to them for longer, depending on how things shake out). I'd say the same thing about the SBL, but it is actually up somewhat this week.

The highest source of SBL rejections this week is SBL57946 with 263 rejections; Spamhaus lists this as a /28 of 'spam sources', with the record created August 18th. The next up is SBL57804, returning from last week but with only 9 rejections this time around; this may partly be because we have more or less explicit blocks for that network now.

Eighteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 88.234.24.235 (1,940 rejections), followed by 200.28.226.14 (1,215 rejections) and 85.96.134.232 (565 rejections). Thirteen of the top 30 are currently in the CBL, twelve are currently in bl.spamcop.net, twenty six are in the PBL, and a grand total of twenty nine are in zen.spamhaus.org; the one IP address out of the top 30 that is not in zen.spamhaus.org is a qsnews.net machine.

(Locally, 15 were rejected for bad or missing reverse DNS, 13 for being dynamic IP addresses, 1 for being qsnews.net, and 1 for being in the CBL.)

This week, Hotmail had:

  • 2 messages accepted.
  • 1 messages rejected because it came from a non-Hotmail email address, in this case a msn.com address.
  • 33 messages sent to our spamtraps.
  • 3 messages refused because their sender addresses had already hit our spamtraps.
  • 2 messages refused due to their origin IP address (one from saix.net, one from the Cote d'Ivoire).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 949 168 1782 232
Bad bounces 162 121 339 268

There was no particularly leading source of bad HELOs this week; the highest were 207.245.38.236 (58 attempts) and 203.86.238.105 (51 attempts), both with .local names.

Bad bounces were sent to 152 different bad usernames this week, with the most popular one being SHOUGEE with 7 attempts. Typical bad usernames and patterns included xxqsfclq, JarvisSloan, Eloy, mj, and sdasa285; I'm not going to try to pick a winner among the patterns this week. The most disheartening source of bad username bounces has to be two from mail-abuse.org.

Written on 25 August 2007.
« Linux and accidentally multipathed disks
A limitation in Linux's policy based routing »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Aug 25 23:33:10 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.