Weekly spam summary on September 22nd, 2007

September 22, 2007

This week, we:

  • got 11,888 messages from 260 different IP addresses.
  • handled 20,811 sessions from 1,729 different IP addresses.
  • received 271,365 connections from at least 102,972 different IP addresses.
  • hit a highwater of 9 connections being checked at once.

I'm pleased to see connection volume drop significantly from last week. This week's per-day statistics look almost normal, too:

Day Connections different IPs
Sunday 46,483 +18,212
Monday 49,646 +17,650
Tuesday 34,683 +14,289
Wednesday 32,308 +13,475
Thursday 38,414 +13,308
Friday 38,751 +14,073
Saturday 31,080 +11,965

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
216.41.61.61          16851    809K
213.180.130.0/24      12063    724K onet.pl
68.230.240.0/23        9770    475K cox.net
213.29.7.0/24          7424    445K centrum.cz
206.123.109.0/27       6497    358K otcpicknews.com
89.18.190.60           5531    332K
195.112.224.80         5026    248K
216.185.19.4           4812    231K
72.249.13.83           4446    244K
193.77.153.1           3675    176K

Volume is once again down from last week. To make up for it, we have another top ten problem source subnet, in this case onet.l (specifically poczta.onet.pl).

  • 216.41.61.61 is in the DSBL
  • 89.18.190.60, 195.112.224.80, and 216.185.19.4 all kept trying to send us email with origin addresses that had already tripped our spamtraps.
  • 72.249.13.83 is another tendril of the otcpicknews.com empire of unwanted email, and returns from February.
  • 193.77.153.1 kept trying with a bad HELO.

Connection time rejection stats:

  92546 total
  48536 bad or no reverse DNS
  38122 dynamic IP
   3872 class bl-cbl
    421 class bl-pbl
    359 class bl-dsbl
    156 qsnews.net
     99 class bl-sdul
     77 class bl-sbl
     22 class bl-njabl

The highest source of SBL rejections this week was a tie: SBL48694 (returning from last week) and SBL30718 each had 13 rejections each. Third place goes to SBL53319 (a /20 listing from May 1st 2007), with 10 rejections.

Seven of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 210.56.124.250 (510 rejections), followed by 121.148.227.160 (482 rejections), 200.107.150.182 (389 rejections), and 210.56.127.222 (328 rejections). Eleven of the top 30 are currently in the CBL, eight are currently in bl.spamcop.net, twenty are in the PBL, and a grand total of twenty three are in zen.spamhaus.org.

(Locally, 22 were rejected for bad or missing reverse DNS, 6 for being dynamic IP addresses, and 2 for being qsnews.net.)

This week, Hotmail had:

  • no messages accepted.
  • 1 message rejected because it came from a non-Hotmail email address.
  • 48 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 4 messages refused due to their origin IP address (one in SBL33955, which dates from 2005, one in SBL36952, which also more or less dates from 2005, one in the CBL, and one from saix.net).

I find it depressing that the two SBL listings above both have example Hotmail-based spam from back then. Almost two years and Hotmail still doesn't seem to give a damn.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 1379 190 1522 180
Bad bounces 287 200 125 71

The leading source of bad HELOs this week was 64.61.89.186 (62 attempts), followed by 64.66.69.182 (61 attempts), 202.64.146.28 (58 attempts), and 64.207.89.21 and 195.172.133.158 (54 attempts each). Interestingly, only the second tried a .local name; one tried a completely impossible name, but the other three tried plausible but nonexistent ones.

Bad bounces were sent to 268 different bad usernames this week, with the most popular one being SHOUGEE with 6 attempts. Other representative bad usernames included oiwzy, kato-ru, golf1992, kakada_Piotrowski, and ElvisDixon; the targets also included several real ex-users and noreply.

My pick for the most amusingly named source of bad bounces this week is littleboy.regenology.co.uk, although kryptonic.ch comes close. Google continues to send us bad bounces, along with the other usual suspects.

Written on 22 September 2007.
« An interesting bind(2) failure
Names are not cheap »

Page tools: View Source.
Search:
Login: Password:

Last modified: Sat Sep 22 23:44:46 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.