Weekly spam summary on September 8th, 2007
This week, we:
- got 10,541 messages from 243 different IP addresses.
- handled 22,006 sessions from 1,956 different IP addresses.
- received 515,114 connections from at least 130,401 different IP addresses.
- hit a highwater of 10 connections being checked at once.
Connection volume has jumped significantly from last week and session volume is up, which suggests that our simplistic greylisting stuff is no longer working quite as well as it used to.
Day | Connections | different IPs |
Sunday | 66,287 | +19,898 |
Monday | 81,716 | +20,201 |
Tuesday | 77,800 | +22,654 |
Wednesday | 76,168 | +20,254 |
Thursday | 79,948 | +17,648 |
Friday | 87,905 | +16,866 |
Saturday | 45,290 | +12,880 |
If I want to be optimistic I could see the Saturday figure as the spammers behind the onslaught deciding to give up on it for now, but I'm not sure that I'm that optimistic.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 68.230.240.0/23 24358 1183K cox.net 168.95.4.0/24 24110 1108K hinet.net 64.18.147.0/24 19951 1197K 206.123.109.0/27 19181 1054K otcpicknews.com 72.249.13.81 12028 660K 68.99.120.0/24 8064 379K coxmail.com 68.168.78.0/24 6751 324K adelphia.net 213.29.7.0/24 6508 390K centrum.cz 195.140.132.28 5824 319K 128.121.79.13 4802 237K
This is up significantly from last week, probably partly because I was aggressive about throwing webmail advance fee fraud spam /24s into the kernel blocks.
- 64.18.147.0/24 is the home of abovev.com, as mentioned last week, along with some fluteu.com hosts.
- 72.249.13.81 returns from last week and several weeks before. The odds of them getting the hint appear to be low.
- 195.140.132.28 kept trying with what appears to have been phish spam.
- 128.121.79.13 returns from last week.
Connection time rejection stats:
245556 total 159938 bad or no reverse DNS 74505 dynamic IP 7569 class bl-cbl 784 class bl-pbl 726 class bl-sbl 255 class bl-sdul 228 class bl-dsbl 14 class bl-njabl
This is up a heck of a lot from last week, which doesn't really surprise me. The highest source of SBL rejections this week is the same as last week: SBL57946, with 536 rejections. Following them is SBL44331, a /24 of the ROKSO-listed Expedite Media Group, with 52 rejections, SBL51995, a machine that seems to have been spamming since March 5th 2007, with 30 rejections, and SBL48694 with 20 rejections.
All thirty of the top 30 most rejected IP addresses this week were
rejected 100 times or more. The leader is 89.0.109.102 (1,588
rejections), followed by 58.61.48.1 (913 rejections), 88.238.85.117
(760 rejections), and 77.193.206.154 (608 rejections). Fourteen
of the top 30 are currently in the CBL, fifteen are currently in
bl.spamcop.net
, twenty one are in the PBL, and a grand total of 28 are
in zen.spamhaus.org. One of the two IP addresses not in zen.spamhaus.org
is in bl.spamcop.net
; the other one is a Chinese IP address with no
reverse DNS that seems to be running a Microsoft mailer.
(Locally, 29 were rejected for having bad or missing reverse DNS and 1 for being a dynamic IP.)
This week Hotmail had:
- 3 messages accepted.
- no messages rejected because they came from non-Hotmail email addresses.
- 31 messages sent to our spamtraps.
- 12 messages refused because their sender addresses had already hit our spamtraps.
- 1 messages refused due to its origin IP address being in the CBL.
And the final numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
1794 | 187 | 607 | 133 |
Bad bounces | 481 | 285 | 51 | 23 |
The leading source of bad HELO
s this week is 65.64.169.122 (81
attempts), followed by 70.54.227.99 (72 attempts), 200.43.240.207 (65
attempts), and 212.113.174.31 (62 attempts). The latter is one of
netcabo.pt's outgoing mail servers, and I suspect that we wouldn't want
to talk to them even if they could get their HELO
names to look good.
Bad bounces were sent to 388 different bad usernames this week, with
the most popular one being ShaunStanton
with 39 attempts, closely
followed by bhikhu_Dagastino
with 36 attempts. Other representative
bad usernames include lubomila
, gojyahyafa
, and yama326
. One
bad bounce was sent to an all-numeric username this week, 92047204
.
The leading source of bad bounces this week was 87.216.221.27, followed by 200.198.125.180; other contributions came from the usual suspects, including ezweb.ne.jp and softbank.ne.jp. Several came from Google machines, to my disappointment.
|
|