Hotmail has been startlingly quiet this week. The numbers:

• One message accepted.
• 24 messages rejected because they came from non-Hotmail email addresses.
• 68 messages sent to our spamtraps.
• 23 messages refused because their sender addresses had already hit our spamtraps.
• 10 messages refused due to their origin IP address (two in the SBL, one in the CBL, and then the rest from an assortment of places we pretty much don't talk to any more).

Hotmail may actually be dealing with its spam problems. Or this week might be an anomaly; I expect I'll be dubious about Hotmail for quite a while.

The basic stats:

• got 14,062 messages from 224 different IP addresses.
• handled 27,174 sessions from 1,771 different IP addresses.
• received 161,000 connections from at least 53,153 different IP addresses.
• a highwater of 16 connections being checked at once.

The session and connection volume is up from last week. Connection volume fluctuates significantly during the week:

Day	Connections	different IPs
Sunday	18,588	+8,532
Monday	22,867	+9,203
Tuesday	21,045	+7,389
Wednesday	23,197	+6,951
Thursday	35,896	+7,632
Friday	23,177	+7,674
Saturday	16,074	+5,772

(Unfortunately, Thursday's numbers may be because of something I did that day. It seems I really should automate more things.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24       5455    276K
61.128.0.0/10          5218    272K
220.160.0.0/11         2820    142K
209.11.168.39          2692    133K
69.105.51.114          2561    120K
218.0.0.0/11           2396    121K
219.128.0.0/12         2133    109K
221.216.0.0/13         2000    100K
69.212.116.115         1948   91074
24.248.0.70            1906   89108

This week is even quieter than last week, plus has a lot more Chinese netblocks making the list (although tin.it earned top place). Of the rest:

• 209.11.168.39 and 69.105.51.114 reappear from last week.
• 69.212.116.115 kept trying to feed us an unresolvable HELO name.
• 24.248.0.70 is a cox.net cablemodem customer with a 'dialup' reverse DNS.

Connection time rejection stats:

  31235 total
  15286 dynamic IP
  10452 bad or no reverse DNS
   3413 class bl-cbl
    403 class bl-sbl
    335 class bl-dsbl
    331 class bl-spews
    114 class bl-sdul
     51 class bl-ordb
     37 class bl-njabl
     11 class bl-opm

This was a big week for hammering on the frontend; 22 IP addresses were refused 100 times or more, with the winner being 202.57.119.43 at 364 connections refused for having no reverse DNS. This week marks a record, with none of the top 30 refused IPs being in the CBL; three are in the SBL (209.9.147.162 and 209.9.147.173 in SBL37385, and 203.177.14.234 in SBL34872).

In other trivial, 65.109.239.171 aka tucksprofessionalservices.com is still trying to spam us. Better luck next incarnation; you've blown this one.

Other stats:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	8422	248	357	36
Bad bounces	814	557	87	55

Oh look; massively up compared to the past couple of weeks. I guess spammers are forging us as the MAIL FROM again. 34 different IP addresses tried bad HELOs a hundred times or more; the really big ones are 69.105.51.114 (367 times), 63.105.86.51 (269 times), and 67.77.182.186 (237 times).