This week we received 12,872 email messages from 229 different IP addresses. Our SMTP server handled 22,584 sessions from 1,544 different IP addresses, which is significantly down from last week.

To go with it, overall connections are down a lot from last week: we only saw 93,950 connections from at least 31,000 different IP addresses. I believe this is the lowest connection rate I've seen since I started doing weekly stats, and probably for some time before then.

Day	Connections	different IPs
Sunday	15,100	+4,500
Monday	15,130	+3,800
Tuesday	12,200	+4,560
Wednesday	13,600	+5,400
Thursday	13,000	+4,200
Friday	14,600	+4,350
Saturday	10,200	+4,100

Compared to two weeks ago, the per day different IP counts are somewhat but not hugely lower, while the number of connections are way, way down and very consistent. (Note that Sunday and Saturday are partial days, as usual.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
66.154.124.0/28       15309    857K
69.105.51.114         12654    592K
212.216.176.0/24      11677    605K
66.154.124.16          7166    401K
85.214.22.252          7122    342K
82.33.105.147          4513    211K
216.7.201.43           4063    195K
61.128.0.0/10          2852    144K
66.154.124.17          2336    131K
210.212.161.2          2264    109K

Again there's something odd. The usual top ten cutoff is at least 4,000 packets, but this week it's all the way down to 2,000; we simply haven't blocked very many active sources. On the other hand, there's a couple of very active sources.

• 66.154.124.0/28, SBL24721, continues its rampage.
• 66.154.124.16 and 66.154.124.17 are in SBL26860.
• 85.214.22.252 reappears from last week, still on the ORDB; maybe they'll give up soon or get fixed.
• 82.33.105.147 is a blueyonder.co.uk cablemodem.
• 210.212.161.2 is some machine in India with no reverse DNS; we haven't talked to anything from APNIC space without reverse DNS for years. It's also on the CBL and various other DNS blocklists.
• 216.7.201.43 reappears from here, still with a bad HELO name.
• 69.105.51.114 is a PacBell ADSL line with a bad HELO name. (It's sometimes very tempting to block all PacBell ADSL lines, but at least some of them are statically assigned business lines. Unfortunately you can't tell which are which, since PacBell uses generic reverse DNS names.)

Connection time rejection stats:

  13876 total
   5903 dynamic IP
   4777 bad or no reverse DNS
   1730 class bl-cbl
    286 class bl-sbl
    283 class bl-spews
    222 class bl-ordb
    160 class bl-dsbl
     95 class bl-njabl
     77 class bl-sdul
      8 class bl-opm

Unsurprisingly everything has gone down compared to last week, sometimes through the floor. No single source stands out.

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1645	155	18117	922
Bad bounces	1096	424	2985	1690

Bad HELOs have dropped by a stone, although bounces are only down by 50% (from a lot fewer places, though).

Just to rain on any good news parade, Hotmail spam is up from last week:

• three actual email messages accepted; at least one was almost certainly spam.
• 11 Hotmail messages refused due to their originating IP addresses (8 in the SBL, one in the XBL, one from Gilat-Satcom again, one from Burkina Faso).
• 300 messages from Hotmail refused because they came from non-Hotmail email addresses.