== Weekly spam summary on August 27th, 2005

The overall SMTP connection rate is up from
[[last week|SpamSummary-2005-08-20]], as we hit 213,000 SMTP
connections from at least 36,000 different IP addresses.
The SMTP frontend hit a new highwater of 22 simultaneous connections
being checked at once. It's possible that a lot of this is from spammers
forging our domains as the _MAIL FROM_ of their spams.

Top 10 kernel level SMTP rejections:
 Host/Mask           Packets   Bytes
 213.4.149.11          16370    736K	[dns]
 150.101.192.222       12959    660K	[trap]
 212.216.176.0/24      10593    553K
 202.96.0.0/12          6472    311K
 161.58.153.168         5752    284K	[trap]
 206.169.79.2           4621    222K	[dyn]
 61.128.0.0/10          4219    211K
 64.105.41.16           4127    198K	[dyn]
 201.224.247.45         4049    206K	[dns]
 192.131.97.33          3706    163K	[helo]

| Code		| Explanation
| _[dns]_	| Bad or missing reverse DNS
| _[dyn]_	| Apparent dynamic IP address
| _[helo]_	| Bad SMTP _HELO_ greeting
| _[trap]_	| Sent mail to a spamtrap

Clearly we've had some very persistent callers this week; however,
most of the individual machines are new on the list (the only
exception is 213.4.149.11, appearing in [[SpamSummary-2005-07-23]]).

Connection-time rejection stats:
   27462 total
   13178 dynamic IP
    7721 bad or no reverse DNS
    1668 class bl-cbl
    1195 class bl-spews
    1032 class bl-sbl
     880 class bl-dsbl
     775 class bl-ordb
     189 class bl-sdul
      83 class bl-njabl
      27 class bl-opm

SBL-based rejections are up significantly, and break down like this for
the top five:
| Rejections | SBL listing
| 617 | [[SBL20671|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL20671]]
| 98 | [[SBL27384|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL27384]]
| 62 | [[SBL20539|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL20539]]
| 38 | [[SBL23039|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL23039]]
| 23 | [[SBL29615|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL29615]]

[[SBL20671]] is a /19 ROKSO listing for OC3 Networks. [[SBL27384]]
is an _aruba.it_ IP address listed for hosting a 'phish' site that
tried to send us a bunch of email. [[SBL29615]] is 216.250.209.9,
_www.portafree.com_, listed as an Advance Fee Fraud source. (There
is [[a lesson here|WebmailBadSources]] for people running free email
services, but they clearly keep on not learning.)

SPEWS rejections have no specific bad source, although 65.209.157.32
kept retrying a lot (it looks like it's a Microsoft mailer, and
those tend to do that in my experience). Big SPEWS contributions
came from _mail.uk.tiscali.com_ and _seamail.go.com_, both of
which are widely abused free email services that I am not sorry
to see rejected. _wanadoo.co.uk_ also got into the act.

(I am seriously considering specific connection-time rejections
for all of the widely abused free email providers that I don't
want to bother talking to. It would probably make these reports
more streamlined and it might get the message through to their
operators. Or at least any real users trying to email our users.)

Bad HELOs and SMTP bounces to nonexistent local addresses are up
quite a lot over last week. The numbers:
| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 21143 | 831 | 4888 | 409
| Bad bounces | 6722  | 3282 | 2099 | 817

Much of the increase in the bad _HELO_ count is due to various people
retrying much more often. The drastic increase in the number of distinct
IP addresses sending us bad bounces suggests that our domains are being
forged more by spammers again.