Our SMTP frontend survived all this week without problems, which was something of an accomplishment this week. Because this week, we:

• got 13,546 messages from 227 different IP addresses.
• handled 19,984 sessions from 1,283 different IP addresses.
• received 1,419,542 connections from at least 52,806 different IP addresses.
• hit a highwater of 9 connections being checked at once.

Yes, that is not a typo; this week we had a lot of SMTP connections, although none of the other numbers are up much compared to last week. It's not a continuation of the spam storm from last Saturday either, as the per-day numbers show:

Day	Connections	different IPs
Sunday	20,593	+7,285
Monday	23,676	+7,944
Tuesday	28,816	+9,029
Wednesday	252,349	+7,809
Thursday	712,787	+8,161
Friday	364,505	+7,540
Saturday	16,816	+5,038

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          10704    557K
216.64.54.146          4490    216K
61.128.0.0/10          3609    190K
218.0.0.0/11           2976    145K
204.13.82.45           2405    144K
212.216.176.0/24       2367    119K
219.128.0.0/12         2330    116K
217.224.0.0/13         2226    107K
66.112.87.66           2215    106K
212.175.13.129         2114    127K

The overall volume is down from last week, with only one entry really sticking out.

• 213.4.149.12 returns from last week and many prior weeks.
• 216.64.54.146, 66.112.87.66, and 212.175.13.129 had bad HELO greetings.
• 204.13.82.45 is 'mailout45.inetekk.com'. We have had prior dealings with inetekk that make us disinclined to ever accept email from them again.

Connection time rejection stats:

  38665 total
  18228 dynamic IP
  15060 bad or no reverse DNS
   2176 class bl-cbl
   1381 class bl-sbl
    547 class bl-dsbl
    280 class bl-njabl
    251 class bl-sdul
    159 class bl-spews
     84 class bl-ordb

Oddly, despite the huge connection volume there is no real growth in these stats compared to last week. I don't have any explanation for this.

Six of the top 30 most rejected IP addresses were rejected 100 times or more, with the leader being 200.216.54.234 (197 times, rejected for having no reverse DNS). 15 of the top 30 are currently in the CBL, six are currently in bl.spamcop.net, and two are in the SBL.

Somewhat to my surprise only one of those two is our non-friends at Cutting Edge Media (this week reporting in from 208.32.133.155). The other is 213.154.92.143, which is part of SBL21128, which is a /23 listing that is (to quote the listing) '419 scam sources in Senegal'. For extra displeasure, this listing was created November 14th, 2004.

Hotmail's stats this week are an improvement over last week:

• 1 message accepted.
• 1 message rejected because it came from a non-Hotmail email address; it was pretty certain to have been advance fee fraud spam.
• 25 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one for being in the CBL, one for being from Cote d'Ivoire).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	2258	140	1557	110
Bad bounces	263	233	323	285

There were four people who sent 100 or more bad HELOs before being blocked, but the volume seems to be more or less fairly distributed; there are no single runaway sources.

The most popular bad username to send stuff to continues to be 'noreply', which perhaps shouldn't be surprising. In aggregate, the most popular bounce destination is random alphabetic strings, each one used only one time.