Weekly spam summary on September 15th, 2007

September 15, 2007

This week, we:

  • got 11,963 messages from 272 different IP addresses.
  • handled 20,658 sessions from 1,625 different IP addresses.
  • received 433,498 connections from at least 123,409 different IP addresses.
  • hit a highwater of 8 connections being checked at once.

Volume is down a fair bit from last week, although it is nowhere near the levels I would like it to be at. The daily volume stats show major swings throughout the week:

Day Connections different IPs
Sunday 41,934 +18,483
Monday 50,481 +16,750
Tuesday 82,442 +18,106
Wednesday 81,613 +17,540
Thursday 73,869 +19,751
Friday 62,399 +20,100
Saturday 40,760 +12,679

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes      23682   1306K otcpicknews.com       18260    887K cox.net          15825    870K         11265    676K centrum.cz         10054    603K         7854    388K           6290    302K          6090    292K           5684    341K         5181    249K

Volume is actually down a bit from last week, somewhat to my surprise, apparently because the top sources this week weren't as active as the top sources last week. Also, rather to my shock, most of the webmail advance fee fraud netblocks have fallen out of the top ten.

  • returns from last week and quite a number of weeks before, still beaconresearchnews.com. Apparently they can't take a hint.
  • and are dynamic IP addresses.
  •,, and kept trying with bad HELO greetings.
  • kept trying to send us phish spam that had already tripped our spamtraps.

Connection time rejection stats:

 192650 total
 106734 bad or no reverse DNS
  75182 dynamic IP
   7801 class bl-cbl
    679 class bl-pbl
    346 class bl-dsbl
    165 class bl-sdul
     91 class bl-njabl
     90 qsnews.net
     43 class bl-sbl

The subnet belongs to something called 'Bushido Marketing', bushidomarketing.com. Due to various events we have decided that we are not interested in accepting email from them; looking at the list of domain names trying to talk to us, I don't think we're missing anything we want. You would think that people want to have their email accepted would pick better domain names than easyinternetdeal.com, newmoneyonline.com, and hotbusinessforyou.com.

The highest source of SBL rejections this week is SBL48694 with 10 rejections, who return from third place last week.

Sixteen of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is (250 rejections), followed by (214 rejections) and (206 rejections). Twenty of the top 30 are currently in the CBL, one is currently in bl.spamcop.net, twenty one are in the PBL, and a grand total of twenty seven are in zen.spamhaus.org.

(Locally, 22 were rejected for bad or missing reverse DNS, 7 for being dynamic IP addresses, and one for being versanet.de.)

This week Hotmail had:

  • 3 messages accepted.
  • 1 message rejected because it came from a non-Hotmail email address.
  • 28 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 1 message refused due to its origin IP address being in the Cote d'Ivoire.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1522 180 1794 187
Bad bounces 125 71 481 285

The leading source of bad HELOs this week is (61 attempts), a machine with a terribly generic xo.net reverse DNS and a HELO that ended in .local. Everything else was under 50 attempts.

Bad bounces were sent to 105 different bad usersnames this week, with the most popular one being a tie between narcisogxqky and macqueen with 6 attempts each; SHOUGEE made a valiant try with 5 attempts. Other representative bad usernames include KimWhite, tinga188, sat-i, and Raffi187.

This week's most active single source is the informatively named host.vngt.vn; the one I find the most amusing, or perhaps the most apt, is bulk.resource.org. Other contributions came from ezweb.ne.jp, verizon.net, softbank.ne.jp, and to my displeasure, a number from Google.

Written on 15 September 2007.
« A thought on untyped languages
In praise of Python's Global Interpreter Lock »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Sep 15 23:37:35 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.