Weekly spam summary on September 15th, 2007
This week, we:
- got 11,963 messages from 272 different IP addresses.
- handled 20,658 sessions from 1,625 different IP addresses.
- received 433,498 connections from at least 123,409 different IP addresses.
- hit a highwater of 8 connections being checked at once.
Volume is down a fair bit from last week, although it is nowhere near the levels I would like it to be at. The daily volume stats show major swings throughout the week:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199/27 23682 1306K otcpicknews.com 188.8.131.52/23 18260 887K cox.net 184.108.40.206 15825 870K 220.127.116.11/24 11265 676K centrum.cz 18.104.22.168 10054 603K 22.214.171.124 7854 388K 126.96.36.199 6290 302K 188.8.131.52 6090 292K 184.108.40.206 5684 341K 220.127.116.11 5181 249K
Volume is actually down a bit from last week, somewhat to my surprise, apparently because the top sources this week weren't as active as the top sources last week. Also, rather to my shock, most of the webmail advance fee fraud netblocks have fallen out of the top ten.
- 18.104.22.168 returns from last week and quite a number of weeks before, still beaconresearchnews.com. Apparently they can't take a hint.
- 22.214.171.124 and 126.96.36.199 are dynamic IP addresses.
- 188.8.131.52, 184.108.40.206, and 220.127.116.11 kept trying with
- 18.104.22.168 kept trying to send us phish spam that had already tripped our spamtraps.
Connection time rejection stats:
192650 total 106734 bad or no reverse DNS 75182 dynamic IP 7801 class bl-cbl 679 class bl-pbl 346 class bl-dsbl 165 class bl-sdul 91 class bl-njabl 90 qsnews.net 68 22.214.171.124/24 43 class bl-sbl
The 126.96.36.199/24 subnet belongs to something called 'Bushido Marketing', bushidomarketing.com. Due to various events we have decided that we are not interested in accepting email from them; looking at the list of domain names trying to talk to us, I don't think we're missing anything we want. You would think that people want to have their email accepted would pick better domain names than easyinternetdeal.com, newmoneyonline.com, and hotbusinessforyou.com.
Sixteen of the top 30 most rejected IP addresses were rejected 100 times
or more this week; the leader is 188.8.131.52 (250 rejections), followed
by 184.108.40.206 (214 rejections) and 220.127.116.11 (206 rejections).
Twenty of the top 30 are currently in the CBL, one is currently in
bl.spamcop.net, twenty one are in the PBL, and a grand total of
twenty seven are in zen.spamhaus.org.
(Locally, 22 were rejected for bad or missing reverse DNS, 7 for being dynamic IP addresses, and one for being versanet.de.)
This week Hotmail had:
- 3 messages accepted.
- 1 message rejected because it came from a non-Hotmail email address.
- 28 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 1 message refused due to its origin IP address being in the Cote d'Ivoire.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading source of bad
HELOs this week is 18.104.22.168 (61
attempts), a machine with a terribly generic xo.net reverse DNS and a
HELO that ended in
.local. Everything else was under 50 attempts.
Bad bounces were sent to 105 different bad usersnames this week, with
the most popular one being a tie between
with 6 attempts each;
SHOUGEE made a valiant try with 5 attempts.
Other representative bad usernames include
This week's most active single source is the informatively named
host.vngt.vn; the one I find the most amusing, or perhaps the
most apt, is
bulk.resource.org. Other contributions came from
ezweb.ne.jp, verizon.net, softbank.ne.jp, and to my displeasure,
a number from Google.