Weekly spam summary on September 22nd, 2007
This week, we:
- got 11,888 messages from 260 different IP addresses.
- handled 20,811 sessions from 1,729 different IP addresses.
- received 271,365 connections from at least 102,972 different IP addresses.
- hit a highwater of 9 connections being checked at once.
I'm pleased to see connection volume drop significantly from last week. This week's per-day statistics look almost normal, too:
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 188.8.131.52 16851 809K 184.108.40.206/24 12063 724K onet.pl 220.127.116.11/23 9770 475K cox.net 18.104.22.168/24 7424 445K centrum.cz 22.214.171.124/27 6497 358K otcpicknews.com 126.96.36.199 5531 332K 188.8.131.52 5026 248K 184.108.40.206 4812 231K 220.127.116.11 4446 244K 18.104.22.168 3675 176K
Volume is once again down from last week. To make up for it, we have another top ten problem source subnet, in this case onet.l (specifically poczta.onet.pl).
- 22.214.171.124 is in the DSBL
- 126.96.36.199, 188.8.131.52, and 184.108.40.206 all kept trying to send us email with origin addresses that had already tripped our spamtraps.
- 220.127.116.11 is another tendril of the otcpicknews.com empire of unwanted email, and returns from February.
- 18.104.22.168 kept trying with a bad
Connection time rejection stats:
92546 total 48536 bad or no reverse DNS 38122 dynamic IP 3872 class bl-cbl 421 class bl-pbl 359 class bl-dsbl 156 qsnews.net 99 class bl-sdul 77 class bl-sbl 22 class bl-njabl
The highest source of SBL rejections this week was a tie: SBL48694 (returning from last week) and SBL30718 each had 13 rejections each. Third place goes to SBL53319 (a /20 listing from May 1st 2007), with 10 rejections.
Seven of the top 30 most rejected IP addresses were rejected 100 times
or more this week; the leader is 22.214.171.124 (510 rejections),
followed by 126.96.36.199 (482 rejections), 188.8.131.52
(389 rejections), and 184.108.40.206 (328 rejections). Eleven of the
top 30 are currently in the CBL, eight are currently in
twenty are in the PBL, and a grand total of twenty three are in
(Locally, 22 were rejected for bad or missing reverse DNS, 6 for being dynamic IP addresses, and 2 for being qsnews.net.)
This week, Hotmail had:
- no messages accepted.
- 1 message rejected because it came from a non-Hotmail email address.
- 48 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 4 messages refused due to their origin IP address (one in SBL33955, which dates from 2005, one in SBL36952, which also more or less dates from 2005, one in the CBL, and one from saix.net).
I find it depressing that the two SBL listings above both have example Hotmail-based spam from back then. Almost two years and Hotmail still doesn't seem to give a damn.
And the final numbers:
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
The leading source of bad
HELOs this week was 220.127.116.11 (62
attempts), followed by 18.104.22.168 (61 attempts), 22.214.171.124 (58
attempts), and 126.96.36.199 and 188.8.131.52 (54 attempts each).
Interestingly, only the second tried a
.local name; one tried a
completely impossible name, but the other three tried plausible but
Bad bounces were sent to 268 different bad usernames this week,
with the most popular one being
SHOUGEE with 6 attempts. Other
representative bad usernames included
ElvisDixon; the targets
also included several real ex-users and
My pick for the most amusingly named source of bad bounces this week is
kryptonic.ch comes close.
Google continues to send us bad bounces, along with the other usual