This week we received 20,583 email messages from 213 different IP addresses. Our SMTP server handled 21,213 sessions from 1,044 different IP addresses. This is a significant jump in incoming email compared to last week.

We saw a major jump in connections compared to last week: 238,300 connections from at least 32,400 different IP addresses. Broken down by day, it goes:

Day	Connections	different IPs
Sunday	9,130	+4,370
Monday	14,440	+5.970
Tuesday	12,490	+4,400
Wednesday	54,860	+4,660
Thursday	111,750	+4,300
Friday	22,900	+4,560
Saturday	12,730	+4,150

While Thursday is the day when we're slowest to add entries to the kernel level blocks, I don't think that's the sole explanation for the general habit of connection rates to spike then. (And they were already ramping up on Wednesday and slowly ramping down on Friday, too.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24       8102    420K
200.26.201.46          4596    221K
203.167.99.194         2930    141K
66.62.47.57            2895    174K
66.125.69.74           2597    132K
66.154.124.0/28        2395    134K
195.250.128.75         2248    114K
219.71.176.153         2230    107K
72.9.253.34            2173    130K
61.128.0.0/10          2145    113K

The kernel level hits are way down even compared to last week, with only two really active sources by our usual standards.

• 203.167.99.194 still has no PTR record; 66.62.47.57 continues to be in SBL34212.
• 66.125.69.74 is a PacBell DSL line
• 219.71.176.153 is a giga.net.tw cablemodem.
• 72.9.253.34 is a gnax.net machine that's on the CBL.
• 200.26.201.46 fed us a bad HELO name a lot.
• 195.250.128.75 is a vol.cz machine that was blocked for repeatedly trying to send us mail that had already tripped our spamtraps. I suspect that it is a webmail system, and we know how that story usually goes.

This continues the trend of bad HELOs being much less frequent around here. It's possible that people are actually starting to fix their mailers, although I'm not going to hold my breath.

Connection time rejection stats:

  23767 total
  14756 dynamic IP
   5535 bad or no reverse DNS
   2075 class bl-cbl
    414 class bl-sbl
    269 class bl-sdul
    237 class bl-ordb
    215 class bl-dsbl
     52 class bl-spews
     23 class bl-njabl
      2 class bl-opm

Taking pride of place and explaining some of Thursday's numbers is 61.9.145.66, a bigpond.net.au cablemodem, which tried to connect to us 7,296 times before it gave up. (It may explain some of Wednesday's numbers too, as it started that evening.)

Other stats:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	682	76	3011	166
Bad bounces	190	98	387	265

These numbers have dropped to amazingly low levels. I'm going to hold my breath that this keeps up. (Although some of the bounce reduction is from spammers and viruses starting to forge things like 'hostmaster' instead of random usernames.)

And finally, we have the usual depressing Hotmail numbers:

• ten email messages accepted.
• 299 messages rejected because they came from non-Hotmail email addresses.
• 26 messages refused because their sender addresses had already hit our spamtraps.
• 9 messages refused due to their origin IP address (6 in the SBL, two from SAIX, one from Nigeria).

Ten email messages accepted from Hotmail is quite high, and it looks like a fair number of them were non-spam (and more than a few spam, unfortunately). Given the other numbers this looks less like Hotmail getting any sort of handle on their spam issue and more like some people starting to use Hotmail.