Weekly spam summary on September 8th, 2007

September 8, 2007

This week, we:

  • got 10,541 messages from 243 different IP addresses.
  • handled 22,006 sessions from 1,956 different IP addresses.
  • received 515,114 connections from at least 130,401 different IP addresses.
  • hit a highwater of 10 connections being checked at once.

Connection volume has jumped significantly from last week and session volume is up, which suggests that our simplistic greylisting stuff is no longer working quite as well as it used to.

Day Connections different IPs
Sunday 66,287 +19,898
Monday 81,716 +20,201
Tuesday 77,800 +22,654
Wednesday 76,168 +20,254
Thursday 79,948 +17,648
Friday 87,905 +16,866
Saturday 45,290 +12,880

If I want to be optimistic I could see the Saturday figure as the spammers behind the onslaught deciding to give up on it for now, but I'm not sure that I'm that optimistic.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       24358   1183K cox.net
168.95.4.0/24         24110   1108K hinet.net
64.18.147.0/24        19951   1197K
206.123.109.0/27      19181   1054K otcpicknews.com
72.249.13.81          12028    660K
68.99.120.0/24         8064    379K coxmail.com
68.168.78.0/24         6751    324K adelphia.net
213.29.7.0/24          6508    390K centrum.cz
195.140.132.28         5824    319K
128.121.79.13          4802    237K

This is up significantly from last week, probably partly because I was aggressive about throwing webmail advance fee fraud spam /24s into the kernel blocks.

  • 64.18.147.0/24 is the home of abovev.com, as mentioned last week, along with some fluteu.com hosts.
  • 72.249.13.81 returns from last week and several weeks before. The odds of them getting the hint appear to be low.
  • 195.140.132.28 kept trying with what appears to have been phish spam.
  • 128.121.79.13 returns from last week.

Connection time rejection stats:

 245556 total
 159938 bad or no reverse DNS
  74505 dynamic IP
   7569 class bl-cbl
    784 class bl-pbl
    726 class bl-sbl
    255 class bl-sdul
    228 class bl-dsbl
     14 class bl-njabl

This is up a heck of a lot from last week, which doesn't really surprise me. The highest source of SBL rejections this week is the same as last week: SBL57946, with 536 rejections. Following them is SBL44331, a /24 of the ROKSO-listed Expedite Media Group, with 52 rejections, SBL51995, a machine that seems to have been spamming since March 5th 2007, with 30 rejections, and SBL48694 with 20 rejections.

All thirty of the top 30 most rejected IP addresses this week were rejected 100 times or more. The leader is 89.0.109.102 (1,588 rejections), followed by 58.61.48.1 (913 rejections), 88.238.85.117 (760 rejections), and 77.193.206.154 (608 rejections). Fourteen of the top 30 are currently in the CBL, fifteen are currently in bl.spamcop.net, twenty one are in the PBL, and a grand total of 28 are in zen.spamhaus.org. One of the two IP addresses not in zen.spamhaus.org is in bl.spamcop.net; the other one is a Chinese IP address with no reverse DNS that seems to be running a Microsoft mailer.

(Locally, 29 were rejected for having bad or missing reverse DNS and 1 for being a dynamic IP.)

This week Hotmail had:

  • 3 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 31 messages sent to our spamtraps.
  • 12 messages refused because their sender addresses had already hit our spamtraps.
  • 1 messages refused due to its origin IP address being in the CBL.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1794 187 607 133
Bad bounces 481 285 51 23

The leading source of bad HELOs this week is 65.64.169.122 (81 attempts), followed by 70.54.227.99 (72 attempts), 200.43.240.207 (65 attempts), and 212.113.174.31 (62 attempts). The latter is one of netcabo.pt's outgoing mail servers, and I suspect that we wouldn't want to talk to them even if they could get their HELO names to look good.

Bad bounces were sent to 388 different bad usernames this week, with the most popular one being ShaunStanton with 39 attempts, closely followed by bhikhu_Dagastino with 36 attempts. Other representative bad usernames include lubomila, gojyahyafa, and yama326. One bad bounce was sent to an all-numeric username this week, 92047204.

The leading source of bad bounces this week was 87.216.221.27, followed by 200.198.125.180; other contributions came from the usual suspects, including ezweb.ne.jp and softbank.ne.jp. Several came from Google machines, to my disappointment.

Written on 08 September 2007.
« My view of what 'strongly typed' means
Rethinking my views of Fibrechannel »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Sep 8 23:38:55 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.