Weekly spam summary on September 29th, 2007

September 30, 2007

This week, we:

  • got 11,909 messages from 265 different IP addresses.
  • handled 26,934 sessions from 2,995 different IP addresses.
  • received 297,885 connections from at least 101,029 different IP addresses.
  • hit a highwater of 16 connections being checked at once.

Volume is a bit up from last week. Looking at the numbers I am reminded of how striking the number of different IP addresses is; the average connection source made less than three connections to us, where the average session source made nine connections (and the average mail source probably did even better, since that is an average of about 44 messages per IP).

Day Connections different IPs
Sunday 40,875 +14,708
Monday 39,537 +16,197
Tuesday 38,779 +14,952
Wednesday 59,611 +17,304
Thursday 49,560 +14,939
Friday 37,500 +10,877
Saturday 32,023 +12,052

Apparently the spammers are back to abusing us on Wednesdays.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
72.249.13.64/26       19977   1096K otcpicknews.com
213.180.130.0/24      17928   1076K onet.pl
89.18.190.60          13567    814K
68.168.78.0/24        11478    551K adelphia.net
213.29.7.0/24         10808    648K centrum.cz
66.15.119.165          9019    422K
68.230.240.0/23        8400    408K cox.net
139.55.101.14          8287    421K
202.5.93.20            8082    388K
212.170.236.211        6257    375K

Volume is significantly up from last week.

  • 89.18.190.60 returns from last week.
  • 66.15.119.165 kept trying to send us bad HELOs and returns from a previous appearance in Feburary.
  • 139.55.101.14 is something we consider a dynamic IP.
  • 202.5.93.20 is an APNIC IP address with broken reverse DNS.
  • 212.170.236.211 kept trying with a bad HELO.

(It warms the black cockles of my heart to see that throwing otcpicknews.com's other netblock straight into our kernel filters was absolutely the right thing to do.)

Connection time rejection stats:

  83117 total
  41427 bad or no reverse DNS
  35442 dynamic IP
   4001 class bl-cbl
    332 class bl-dsbl
    291 acceleratebiz.com
    261 class bl-pbl
    255 class bl-sdul
    188 class bl-sbl
    125 qsnews.net
     86 class bl-njabl
     42 officepubs.com
     24 verticalresponse.com

Perversely, volume is down here compared to last week. The highest source of SBL rejections this week was SBL58952 with 66 rejections (a recent listing for a spam source), followed by last week's leading contents of SBL53319 with 25 rejections and SBL48694 with 23 rejections. (Better luck next time, you two! Oh wait, what am I saying? Please drop off the Internet.)

Seventeen of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 124.157.174.227 (1,412 rejections), followed by 203.134.218.225 (1,375 rejections) and 61.7.132.40 (301 rejections). Five are currently in the CBL, two are currently in bl.spamcop.net, six are currently in the PBL, and a grand total of (only) eight are zen.spamhaus.org. I don't know why these numbers are so low.

(Locally, 20 were rejected for bad or missing reverse DNS, 8 for being dynamic IP addresses, one for being in the NJABL, one for being in the DSBL. Two of those have since changed their status and would not be blocked now.)

This week, Hotmail had:

  • 4 messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 27 messages sent to our spamtraps.
  • no messages refused because their sender addresses had already hit our spamtraps.
  • 1 message refused due to its origin IP address being from the Cote d'Ivoire.

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 5489 399 1379 190
Bad bounces 1521 1115 287 200

Ah. Well. That would explain a certain amount of everything; we seem to have been forged as a spam origin in a big way, judging by how these numbers have jumped so dramatically. The leading source of bad HELOs this week was 64.109.69.81 (218 attempts), followed by 84.12.142.111 (89 attempts), 202.134.71.85 (83 attempts), and then a lot more.

Bad bounces were sent to 1,421 different bad usernames this week, with the most popular one being grabes with 19 attempts, followed by NortonPinero with 10. SHOUGEE returns from last week with 3 attempts, mixed in with all sorts of others that I am not going to try to pick through, including ex-users.

My pick for the most ironic source of bad bounces this week has to be AntiSpam.Awesome.net. (No and no, respectively.)

Written on 30 September 2007.
« The first rule of free email-based services
Understanding Exim's weird way of doing retries »

Page tools: View Source.
Search:
Login: Password:

Last modified: Sun Sep 30 00:12:18 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.