Weekly spam summary on September 1st, 2007
This week, we:
- got 10,298 messages from 262 different IP addresses.
- handled 19,100 sessions from 1,599 different IP addresses.
- received 373,200 connections from at least 118,510 different IP addresses.
- hit a highwater of 14 connections being checked at once.
This is about the same volume as last week. We continue to have a lot of spam zombies hitting us, but this week they seem to have shifted towards the weekend:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168/27 31267 1720K otcpicknews.com 22.214.171.124/23 18881 917K cox.net 126.96.36.199 12354 679K 188.8.131.52 6214 307K 184.108.40.206/24 6183 371K centrum.cz 220.127.116.11 5048 249K 18.104.22.168 4389 241K 22.214.171.124 4058 192K 126.96.36.199 3347 161K 188.8.131.52/24 2899 159K
Volume is down significantly compared to last week, but the real big news is that several of the usual suspects aren't even in the picture, especially 184.108.40.206, a terra.es mailserver that has been maintaining a death grip on the top slot for several weeks now.
- 220.127.116.11 returns from last week.
- 18.104.22.168, 22.214.171.124, and 126.96.36.199 all kept trying to send us email with an origin address that had already tripped our spamtraps.
- 188.8.131.52 and 184.108.40.206 are both things we consider dynamic IP addresses.
Connection time rejection stats:
172775 total 86025 dynamic IP 76495 bad or no reverse DNS 7354 class bl-cbl 592 class bl-pbl 351 qsnews.net 291 class bl-sbl 217 class bl-dsbl 138 220.127.116.11/26 137 class bl-sdul 69 cuttingedgemedia.com 48 18.104.22.168/24 10 class bl-njabl
The highest source of SBL rejections this week is SBL57946 with 158 rejections; Spamhaus lists this /28 for having 'spam sources' and quotes a message from fluteu.com for offerm.info. This explains why fluteu.com looked like such a familiar name when I poked into another subnet to see what else it had besides a lot of very active hosts of an abovev.com (which was sending for one rockc.info). The next up SBL listing is SBL56968 with 36 rejections, an apparently hacked webserver sending advance fee fraud spam, followed by SBL48694 with 26 rejections.
A depressing twenty seven of the top 30 most rejected IP addresses
were rejected 100 times or more this week; the leader is 22.214.171.124
(1,004 rejections), followed by 126.96.36.199 (606 rejections),
188.8.131.52 (306 rejections for being qsnews.net), and 184.108.40.206
(202 rejections). Seventeen of the top 30 are currently in the CBL,
fourteen are currently in
bl.spamcop.net, twenty one are in the PBL,
and a grand total of twenty five are in zen.spamhaus.org.
(Locally, 18 were rejected for bad or missing reverse DNS, 10 for being dynamic IPs, 1 for being kornet.net, and 1 for being qsnews.net.)
This week, Hotmail had:
- 3 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 51 messages sent to our spamtraps.
- 3 messages refused because their sender addresses had already hit our spamtraps.
- 7 messages refused due to their origin IP address (two in SBL51609, one in SBL38278, one from saix.net, one from Ghana, one from the Cote d'Ivoire, and one from the United Arab Emirates).
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
There was no big source of bad
HELOs this week; the most prolific
source had only 27 rejections.
Bad bounces were sent to 44 different bad usernames this week, with the
most popular one being
kouta09 with 3 attempts (
week's leader, is in a many-way tie for second place at 2 attempts).
Other representative bad usernames include
LynnHowell; there were also some ex-users. Interestingly, one of
the FirstLast bad usernames is the real name of one of our actual users,
which I am going to chalk up to complete coincidence.
This week's most amusing source of bad bounces is a US Army machine called bouncedr1.us.army.mil. Otherwise the list of sources is dominated by ezweb.ne.jp, verizon.net, softbank.ne.jp, and Earthlink.