Weekly spam summary on September 22nd, 2007
This week, we:
- got 11,888 messages from 260 different IP addresses.
- handled 20,811 sessions from 1,729 different IP addresses.
- received 271,365 connections from at least 102,972 different IP addresses.
- hit a highwater of 9 connections being checked at once.
I'm pleased to see connection volume drop significantly from last week. This week's per-day statistics look almost normal, too:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 18.104.22.168 16851 809K 22.214.171.124/24 12063 724K onet.pl 126.96.36.199/23 9770 475K cox.net 188.8.131.52/24 7424 445K centrum.cz 184.108.40.206/27 6497 358K otcpicknews.com 220.127.116.11 5531 332K 18.104.22.168 5026 248K 22.214.171.124 4812 231K 126.96.36.199 4446 244K 188.8.131.52 3675 176K
Volume is once again down from last week. To make up for it, we have another top ten problem source subnet, in this case onet.l (specifically poczta.onet.pl).
- 184.108.40.206 is in the DSBL
- 220.127.116.11, 18.104.22.168, and 22.214.171.124 all kept trying to send us email with origin addresses that had already tripped our spamtraps.
- 126.96.36.199 is another tendril of the otcpicknews.com empire of unwanted email, and returns from February.
- 188.8.131.52 kept trying with a bad
Connection time rejection stats:
92546 total 48536 bad or no reverse DNS 38122 dynamic IP 3872 class bl-cbl 421 class bl-pbl 359 class bl-dsbl 156 qsnews.net 99 class bl-sdul 77 class bl-sbl 22 class bl-njabl
The highest source of SBL rejections this week was a tie: SBL48694 (returning from last week) and SBL30718 each had 13 rejections each. Third place goes to SBL53319 (a /20 listing from May 1st 2007), with 10 rejections.
Seven of the top 30 most rejected IP addresses were rejected 100 times
or more this week; the leader is 184.108.40.206 (510 rejections),
followed by 220.127.116.11 (482 rejections), 18.104.22.168
(389 rejections), and 22.214.171.124 (328 rejections). Eleven of the
top 30 are currently in the CBL, eight are currently in
twenty are in the PBL, and a grand total of twenty three are in
(Locally, 22 were rejected for bad or missing reverse DNS, 6 for being dynamic IP addresses, and 2 for being qsnews.net.)
This week, Hotmail had:
- no messages accepted.
- 1 message rejected because it came from a non-Hotmail email address.
- 48 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 4 messages refused due to their origin IP address (one in SBL33955, which dates from 2005, one in SBL36952, which also more or less dates from 2005, one in the CBL, and one from saix.net).
I find it depressing that the two SBL listings above both have example Hotmail-based spam from back then. Almost two years and Hotmail still doesn't seem to give a damn.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading source of bad
HELOs this week was 126.96.36.199 (62
attempts), followed by 188.8.131.52 (61 attempts), 184.108.40.206 (58
attempts), and 220.127.116.11 and 18.104.22.168 (54 attempts each).
Interestingly, only the second tried a
.local name; one tried a
completely impossible name, but the other three tried plausible but
Bad bounces were sent to 268 different bad usernames this week,
with the most popular one being
SHOUGEE with 6 attempts. Other
representative bad usernames included
ElvisDixon; the targets
also included several real ex-users and
My pick for the most amusingly named source of bad bounces this week is
kryptonic.ch comes close.
Google continues to send us bad bounces, along with the other usual