It's time for the first weekly spam summary of the new year, so let's see what sort of a start 2006 is off to.

This week we received 14,639 email messages from 198 different IP addresses. Our SMTP server handled 30,023 sessions from 3,122 different IP addresses. Message volume is up some since last week (not surprising with people coming back to work) and session volume is holding steady.

Connection volume is down from last week: 201,000 connections from at least 58,500 different IP addresses, although with a highwater of 20 connections being checked at once. By day we get:

Day	Connections	different IPs
Sunday	28,000	+8,400
Monday	32,000	+11,060
Tuesday	30,650	+10,530
Wednesday	29,480	+7,860
Thursday	35,980	+7,530
Friday	22,540	+6,990
Saturday	22,190	+6,130

I have no explanation for the day to day numbers, although we do have the traditional Thursday jump. It's wierd to see the different IP address count spike so sharply without a connection spike to go with it.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
202.157.144.3         17983   1079K
168.215.140.35        12414    745K
68.124.27.170         10004    509K
213.4.149.69           9387    411K
63.167.16.2            8249    396K
62.34.238.215          6840    356K
67.187.49.104          6579    335K
66.59.250.33           6449    297K
218.102.53.0/24        5956    275K
207.202.183.104        5454    251K

• only 213.4.149.69 reappears from before, still without a good IP to name mapping.
• 202.157.144.3 is also without good IP to name mapping.
• 168.215.140.35, 62.34.238.215, and 67.187.49.104 are all considered 'dialup' dynamic address machines.
• 68.124.27.170 is a PacBell DSL machine that kept trying to send us mail from an address that had hit our spamtraps.
• 63.167.16.2, 66.59.250.33, and 207.202.183.104 had unresolvable HELO names.

Connection time rejection stats:

  36555 total
  18969 dynamic IP
  10916 bad or no reverse DNS
   4114 class bl-cbl
    528 class bl-spews
    467 class bl-sbl
    310 class bl-dsbl
    272 class bl-sdul
     52 class bl-ordb
     30 class bl-njabl
     14 class bl-opm

Given the overall volume drop from last week, I think that these stats are not particularly surprising. There are no really aggressive single IP addresses, and the CBL doesn't stand out as much as it did last week; only 7 of the top 30 most connecting IP addresses are on it.

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	8120	406	12700	578
Bad bounces	4349	1629	4196	1123

It looks like we're still getting forged as the MAIL FROM origin by spammers.

The Hotmail spammers seem to have ended their holidays too, judging from the Hotmail stats for this week:

• 2 emails accepted, one of which was a backscatter bounce.
• 275 messages rejected because they came from non-Hotmail email addresses.
• 62 messages sent to our spamtraps.
• 4 messages refused because their sender addresses had already hit our spamtraps.
• 5 messages refused due to their origin IP address (four for being in the SBL, one for being in the CBL).

This is broadly consistent with the volume from the week before last. So much for any hope that Hotmail was doing something to deal with their spam problem over the Christmas to New Years break.

(In fact they were doing something last week: they were making it more difficult to report spam to Hotmail. Now you have to use report_spam@hotmail.com instead of abuse@hotmail.com if you want them to take any action, or so their autoreply now says.)