Weekly spam summary on September 22nd, 2007
This week, we:
- got 11,888 messages from 260 different IP addresses.
- handled 20,811 sessions from 1,729 different IP addresses.
- received 271,365 connections from at least 102,972 different IP addresses.
- hit a highwater of 9 connections being checked at once.
I'm pleased to see connection volume drop significantly from last week. This week's per-day statistics look almost normal, too:
Day | Connections | different IPs |
Sunday | 46,483 | +18,212 |
Monday | 49,646 | +17,650 |
Tuesday | 34,683 | +14,289 |
Wednesday | 32,308 | +13,475 |
Thursday | 38,414 | +13,308 |
Friday | 38,751 | +14,073 |
Saturday | 31,080 | +11,965 |
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 216.41.61.61 16851 809K 213.180.130.0/24 12063 724K onet.pl 68.230.240.0/23 9770 475K cox.net 213.29.7.0/24 7424 445K centrum.cz 206.123.109.0/27 6497 358K otcpicknews.com 89.18.190.60 5531 332K 195.112.224.80 5026 248K 216.185.19.4 4812 231K 72.249.13.83 4446 244K 193.77.153.1 3675 176K
Volume is once again down from last week. To make up for it, we have another top ten problem source subnet, in this case onet.l (specifically poczta.onet.pl).
- 216.41.61.61 is in the DSBL
- 89.18.190.60, 195.112.224.80, and 216.185.19.4 all kept trying to send us email with origin addresses that had already tripped our spamtraps.
- 72.249.13.83 is another tendril of the otcpicknews.com empire of unwanted email, and returns from February.
- 193.77.153.1 kept trying with a bad
HELO
.
Connection time rejection stats:
92546 total 48536 bad or no reverse DNS 38122 dynamic IP 3872 class bl-cbl 421 class bl-pbl 359 class bl-dsbl 156 qsnews.net 99 class bl-sdul 77 class bl-sbl 22 class bl-njabl
The highest source of SBL rejections this week was a tie: SBL48694 (returning from last week) and SBL30718 each had 13 rejections each. Third place goes to SBL53319 (a /20 listing from May 1st 2007), with 10 rejections.
Seven of the top 30 most rejected IP addresses were rejected 100 times
or more this week; the leader is 210.56.124.250 (510 rejections),
followed by 121.148.227.160 (482 rejections), 200.107.150.182
(389 rejections), and 210.56.127.222 (328 rejections). Eleven of the
top 30 are currently in the CBL, eight are currently in bl.spamcop.net
,
twenty are in the PBL, and a grand total of twenty three are in
zen.spamhaus.org.
(Locally, 22 were rejected for bad or missing reverse DNS, 6 for being dynamic IP addresses, and 2 for being qsnews.net.)
This week, Hotmail had:
- no messages accepted.
- 1 message rejected because it came from a non-Hotmail email address.
- 48 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 4 messages refused due to their origin IP address (one in SBL33955, which dates from 2005, one in SBL36952, which also more or less dates from 2005, one in the CBL, and one from saix.net).
I find it depressing that the two SBL listings above both have example Hotmail-based spam from back then. Almost two years and Hotmail still doesn't seem to give a damn.
And the final numbers:
what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELO s |
1379 | 190 | 1522 | 180 |
Bad bounces | 287 | 200 | 125 | 71 |
The leading source of bad HELO
s this week was 64.61.89.186 (62
attempts), followed by 64.66.69.182 (61 attempts), 202.64.146.28 (58
attempts), and 64.207.89.21 and 195.172.133.158 (54 attempts each).
Interestingly, only the second tried a .local
name; one tried a
completely impossible name, but the other three tried plausible but
nonexistent ones.
Bad bounces were sent to 268 different bad usernames this week,
with the most popular one being SHOUGEE
with 6 attempts. Other
representative bad usernames included oiwzy
, kato-ru
,
golf1992
, kakada_Piotrowski
, and ElvisDixon
; the targets
also included several real ex-users and noreply
.
My pick for the most amusingly named source of bad bounces this week is
littleboy.regenology.co.uk
, although kryptonic.ch
comes close.
Google continues to send us bad bounces, along with the other usual
suspects.
|
|