Weekly spam summary on October 13th, 2007

October 13, 2007

This week, we:

  • got 11,905 messages from 252 different IP addresses.
  • handled 27,710 sessions from 2,367 different IP addresses.
  • received 342,122 connections from at least 124,401 different IP addresses.
  • hit a highwater of 36 connections being checked at once.

Connection volume seems up a bit from last week, although it's hard to be entirely sure. Session volume is definitely up, pretty much to the level it was two weeks ago.

Day Connections different IPs
Sunday 52,106 +22,241
Monday 72,645 +27,772
Tuesday 47,247 +16,403
Wednesday 33,365 +13,620
Thursday 52,521 +21,076
Friday 48,166 +12,650
Saturday 36,072 +10,639

It's interesting that this seems to vary all over the map from day to day, and it amuses me that Wednesday, for long the most active day, is the least active day this week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.180.130.0/24      22255   1335K onet.pl
72.249.13.64/26       14924    819K otcpicknews.com
68.230.240.0/23       12994    631K cox.net
213.4.149.241         10710    571K
218.0.0.0/11           8620    419K CHINANET
68.99.120.0/24         8496    400K coxmail.net
204.127.225.0/24       6321    405K comcast.net
206.18.177.0/24        6146    393K comcast.net
213.29.7.0/24          5579    335K centrum.cz
209.51.135.180         5141    282K

Volume is down a bit from last week, but not really significantly, and once again almost of the top 10 is netblocks.

  • 213.4.149.241 kept trying with bad HELOs; we saw it before in August.
  • 209.51.135.180 kept trying to send us mail with an origin address that had already tripped our spamtraps.

Connection time rejection stats:

 111794 total
  54499 bad or no reverse DNS
  47536 dynamic IP
   5567 class bl-cbl
    973 class bl-pbl
    458 class bl-dsbl
    317 qsnews.net
    296 class bl-sbl
    280 class bl-sdul
    149 class bl-njabl
    129 dartmail.net
    125 acceleratebiz.com

The highst source of SBL rejections this week is SBL56712 with 94 rejections (a /28 listed as a spam source for power-cl1cks.com, listed in July), followed by SBL59518 with 79 rejections (a /24 also for 'power-cl1cks2.com'), and SBL58952 with 33 rejections (a /27 from September, 'spwu10.net'). I've seen other spwu10.net machines crop up from 74.223.112.0/22, so I think it and them are going into our overall blocklists.

(A modest suggestion to people: do not give your domains sequence numbers. It does not really look good.)

Eight of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 200.186.145.197 (1,259 rejections), followed by 200.177.119.109 (388 rejections). Oddly enough, none of the top 30 appear to be showing up on any of the popular DNS blocklists this week; this seems implausible, which means that something is broken somewhere.

(Locally, 16 were rejected for being dynamic IP addresses, 11 for having bad or missing reverse DNS, 2 for being qsnews.net, and 1 for being qsc.de.)

This week, Hotmail had:

  • no messages accepted.
  • no messages rejected because they came from non-Hotmail email addresses.
  • 49 messages sent to our spamtraps.
  • 2 messages refused because their sender addresses had already hit our spamtraps.
  • 4 messages refused due to their origin IP address (one in the CBL, one from Nigeria, one from Ghana, and one from saix.net aka telkom.co.za).

And the final numbers:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 6739 363 1751 270
Bad bounces 669 553 114 78

The leading source of bad HELOs this week was 208.223.173.169 (243 attempts), followed by 202.155.205.242 (123 attempts), and 216.157.197.66 (91 attempts). There are a lot of people with relatively high counts (above 50 attempts), which is not really surprising given the stats.

Bad bounces were sent to 650 different bad usernames this week, with the most popular one being Jayce_Pirani with 5 attempts, followed by HoratioClemens with 4 attempts and MaxwellFocke and last week's winner SHOUGEE with 3 attempts each. There was one attempt to the all-number bad username 405 and one to "Gresham," (sic), and some to ex-users, but with 650 of them I'm not going to study them carefully enough to draw real conclusions.

Written on 13 October 2007.
« Getting your networks to your racks
Why I think identity blurs into authority »

Page tools: View Source.
Search:
Login: Password:

Last modified: Sat Oct 13 23:50:57 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.