Weekly spam summary on September 1st, 2007

September 1, 2007

This week, we:

  • got 10,298 messages from 262 different IP addresses.
  • handled 19,100 sessions from 1,599 different IP addresses.
  • received 373,200 connections from at least 118,510 different IP addresses.
  • hit a highwater of 14 connections being checked at once.

This is about the same volume as last week. We continue to have a lot of spam zombies hitting us, but this week they seem to have shifted towards the weekend:

Day Connections different IPs
Sunday 64,543 +21,955
Monday 62,519 +18,537
Tuesday 47,022 +17,692
Wednesday 47,829 +15,393
Thursday 43,019 +13,973
Friday 44,451 +14,954
Saturday 63,817 +16,006

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
206.123.109.0/27      31267   1720K otcpicknews.com
68.230.240.0/23       18881    917K cox.net
72.249.13.81          12354    679K
128.121.79.13          6214    307K
213.29.7.0/24          6183    371K centrum.cz
204.202.2.242          5048    249K
194.150.111.66         4389    241K
76.204.42.226          4058    192K
24.6.46.2              3347    161K
216.40.44.0/24         2899    159K

Volume is down significantly compared to last week, but the real big news is that several of the usual suspects aren't even in the picture, especially 213.4.149.12, a terra.es mailserver that has been maintaining a death grip on the top slot for several weeks now.

  • 72.249.13.81 returns from last week.
  • 128.121.79.13, 204.202.2.242, and 194.150.111.66 all kept trying to send us email with an origin address that had already tripped our spamtraps.
  • 76.204.42.226 and 24.6.46.2 are both things we consider dynamic IP addresses.

Connection time rejection stats:

 172775 total
  86025 dynamic IP
  76495 bad or no reverse DNS
   7354 class bl-cbl
    592 class bl-pbl
    351 qsnews.net
    291 class bl-sbl
    217 class bl-dsbl
    138 209.74.245.0/26
    137 class bl-sdul
     69 cuttingedgemedia.com
     48 72.18.198.0/24
     10 class bl-njabl

The highest source of SBL rejections this week is SBL57946 with 158 rejections; Spamhaus lists this /28 for having 'spam sources' and quotes a message from fluteu.com for offerm.info. This explains why fluteu.com looked like such a familiar name when I poked into another subnet to see what else it had besides a lot of very active hosts of an abovev.com (which was sending for one rockc.info). The next up SBL listing is SBL56968 with 36 rejections, an apparently hacked webserver sending advance fee fraud spam, followed by SBL48694 with 26 rejections.

A depressing twenty seven of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 221.6.15.4 (1,004 rejections), followed by 222.103.62.26 (606 rejections), 216.213.172.11 (306 rejections for being qsnews.net), and 81.193.16.157 (202 rejections). Seventeen of the top 30 are currently in the CBL, fourteen are currently in bl.spamcop.net, twenty one are in the PBL, and a grand total of twenty five are in zen.spamhaus.org.

(Locally, 18 were rejected for bad or missing reverse DNS, 10 for being dynamic IPs, 1 for being kornet.net, and 1 for being qsnews.net.)

This week, Hotmail had:

  • 3 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 51 messages sent to our spamtraps.
  • 3 messages refused because their sender addresses had already hit our spamtraps.
  • 7 messages refused due to their origin IP address (two in SBL51609, one in SBL38278, one from saix.net, one from Ghana, one from the Cote d'Ivoire, and one from the United Arab Emirates).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 607 133 949 168
Bad bounces 51 23 162 121

There was no big source of bad HELOs this week; the most prolific source had only 27 rejections.

Bad bounces were sent to 44 different bad usernames this week, with the most popular one being kouta09 with 3 attempts (SHOUGEE, last week's leader, is in a many-way tie for second place at 2 attempts). Other representative bad usernames include cttvlowqneh, t-ishizaka, and LynnHowell; there were also some ex-users. Interestingly, one of the FirstLast bad usernames is the real name of one of our actual users, which I am going to chalk up to complete coincidence.

This week's most amusing source of bad bounces is a US Army machine called bouncedr1.us.army.mil. Otherwise the list of sources is dominated by ezweb.ne.jp, verizon.net, softbank.ne.jp, and Earthlink.

Written on 01 September 2007.
« Partial entry syndication feeds and updated entries
I wish mailers had a real programming language »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sat Sep 1 23:43:56 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.