Overall connections are up from last week: 239,000 SMTP connections from 39,000 different IP addresses. The SMTP frontend's highwater mark is up again, hitting 29 simultaneous connections.

Top 10 kernel level SMTP rejections:

Host/Mask           Packets   Bytes
213.4.149.11          13913    638K
192.35.251.3          13025    625K
212.216.176.0/24       8955    448K
208.136.201.43         7584    364K
202.96.0.0/12          6232    313K
65.90.203.102          5927    356K
218.102.53.0/24        5530    256K
213.29.7.174           5461    328K
67.32.131.231          5279    253K
212.44.241.24          5153    309K

65.90.203.102 turns out to be a mistake, due to an old listing for Broadwing dialup/dynamic address space that is clearly no longer valid. We probably have other now-invalid rejection rules, but they're hard to find and I don't have enough time and energy to systematically recheck things.

(Much of our dynamic IP address blocking is based on hostname patterns, which is hopefully less prone to rotting over time.)

Of the rest:

• 213.4.149.11, mx.terra.es, is a frequent top-10 listing; it was blocked for its usual rapid spew of invalid HELO names.
• 192.35.251.3, netfence.spss.com, is also a repeat offender for bad HELO names.
• 218.102.53.0/24 is Netvigator's mail servers, which we haven't been willing to talk to for years anyways.
• 213.29.7.174, mail1002.centrum.cz, appeared before in IPReject-2005-06-18. They're still in dnsbl.njabl.org, and checking their listing I see they've been there since May 26th, 2005, due to spewing out advance fee fraud spam. We have had all centrum.cz mail machines banned from our mailer for some time for the same reason.

Connection-time rejection stats:

  27106 total
  12298 dynamic IP
   8595 bad or no reverse DNS
   1783 class bl-cbl
   1563 class bl-sbl
   1068 class bl-spews
    581 class bl-dsbl
    300 class bl-ordb
    188 class bl-njabl
     69 class bl-sdul
     11 class bl-opm

The big jump in SBL hits is due to 1,131 hits from SBL20671, the ROKSO listing for 72.11.128.0/19, 'OC3 Networks - Ilan Mishan'. In turn this was all due to 72.11.156.0/24, a subnet that is full of IP addresses with reverse DNS to hostnames of the form '{crv,crve}.????.com'. The four characters in the domain name are usually letters, but I've seen some use of numbers and '-'.

To break up the monotony, the spammer threw in marketing-miracles.com, greatdealsforme.com (a more honest spammer domain name than usual), mylinemarketing.com, and marketingwarpspeed.com. They, and all the funny domains, all seem to be registered to the same organization, allegedly

Elbicho Ltd
Limited Elbicho
26 fremantle Court
Harbour Views, Gibraltar n/a
GI
+350.3500114473433
124656@whois.gkg.net

(Sometimes 'Elbicho Limited'.)

I can only hope that the spammer is paying real money for that parade of domain names. (Probably not, though. Although they seem to have been registered back in May, so hopefully the registrar will have gotten some actual money from the spammer.)

In SPEWS news, mail.uk.tiscali.com keeps showing up (although not high in the league tables). This is probably because they are a prolific advance fee fraud spam source, although they may protest otherwise (there was a recent thread on news.admin.net-abuse.email claiming reform, which various people laughed at).

The usual eyeball scan shows bad HELOs and bounces to nonexistent local addresses down somewhat over last week.

And that concludes tonight's presentation of The Week In Spam.