== Weekly spam summary on November 12th, 2005

This week I'm leading with Hotmail's numbers, because they continue to
be a depressing testament to
[[Hotmail's spam problem|HotmailSpamRedux]]. This week's
Hotmail statistics are:

* one email accepted, probably advance fee fraud spam from the Hotmail
  user name.
* 14 Hotmail messages refused due to their originating IP addresses (4
  in the SBL, 4 in the XBL, three from Nigeria, two from SAIX, and one
  from the Cote d'Ivoire).
* 31 Hotmail messages refused because their sender addresses had
  already hit our spamtraps.
* 251 messages from Hotmail refused because they came from non-Hotmail
  email addresses.

At this point it's hard to see a point to continuing to accept
Hotmail's email. And it's not like Hotmail shows any signs of dealing
with their problem; they've offloaded it onto the rest of us.

On to other stats. This week we received 13,175 email messages from
230 different IP addresses. Our SMTP server handled 22,087 sessions
from 1,695 different IP addresses. Both of these numbers are about the
same as [[last week|SpamSummary-2005-11-05]].

Our connection volume is up from the depths of [[last week]]: 179,300
connections from at least 30,000 different IP addresses.

| Day	    | Connections | different IPs
| Sunday    | 10,000	  | 4,230
| Monday    | 12,400	  | +4,840
| Tuesday   | 67,750	  | +4,410
| Wednesday | 38,000	  | +4,220
| Thursday  | 14,960	  | +4,370
| Friday    | 23,000	  | +4,450
| Saturday  | 13,100	  | +3,550

Tuesday is responsible for more than a third of the connections all on
its own, with a spillover into Wednesday and a bit of a spike on
Wednesday. Otherwise things are pretty close to [[last week]]'s daily
rates.

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 64.52.16.234          11730    548K
 66.154.124.0/28       10428    584K
 69.105.51.114          7892    369K
 212.216.176.0/24       7723    386K
 61.128.0.0/10          7210    351K
 80.33.77.149           6128    309K
 130.69.197.3           4675    281K
 203.167.99.194         4410    212K
 219.71.176.89          3577    172K
 66.179.44.52           3286    158K

This is a skewed distribution, but not as skewed as [[last week]].

* [[64.52.16.234|SpamSummary-2005-10-29]],
  [[69.105.51.114|SpamSummary-2005-11-05]], and
  [[66.179.44.52|SpamSummary-2005-10-29]] continue to send us bad
  _HELO_ names.
* [[203.167.99.194|SpamSummary-2005-10-29]] is an etpi.com.ph machine
  with no reverse DNS.
* 219.71.176.89 is a giga.net.tw cablemodem.
* 80.33.77.149 and 130.69.197.3 both tripped our spamtraps and then
  persistently kept trying to mail us.

Connection time rejection stats:

   16386 total
    8270 dynamic IP
    4714 bad or no reverse DNS
    1407 class bl-cbl
     662 class bl-ordb
     504 class bl-sbl
     224 class bl-spews
      90 class bl-dsbl
      71 class bl-sdul
      54 class bl-njabl
       2 class bl-opm

The dynamic IP category jumped in significant part due to just one
machine, 83.196.157.151 (a wanadoo.fr dialup), trying 1,796 times to
connect before it got blocked harder. (And this happened on Tuesday.)

Other stats:
| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 3613 | 165 | 1645 | 155
| Bad bounces | 774 | 570 | 1096 | 424

I'm not going to try to read meaning into the changed bounce count.
There were definitely some quite persistent sources of bad _HELO_
names this week.