== Weekly spam summary on December 10th, 2005

Once again I'll lead with Hotmail's spam numbers, because they
continue to be bad:

* one email accepted (probably spam).
* 218 messages rejected because they came from non-Hotmail email
  addresses.
* 111 messages sent to our spamtraps.
* 30 messages refused because their sender addresses had already hit
  our spamtraps.
* 5 messages refused due to their origin IP address (all for being in
  the SBL).

Now, on to the general numbers.

This week we received 17,296 email messages from 202 different IP
addresses. Our SMTP server handled 18,730 sessions from 998 different
IP addresses. This is about the same as
[[last week|SpamSummary-2005-12-03]], and once again we have two very
active local users (6,993 and 4,302 messages) and the Linux kernel
mailing list (2,225 messages) as a good part of the volume.

Connection volume is down from [[last week]]: 85,479 connections from
at least 29,652 different IP addresses. The drop in the number of
different IP addresses trying to send us mail is interesting.  Broken
down by day it goes:

| Day	    | Connections	| different IPs
| Sunday    | 12,220		| +4,480
| Monday    | 12,910		| +4,590
| Tuesday   | 14,600		| +5,070
| Wednesday | 11,270		| +4,070
| Thursday  | 12,140		| +4,670
| Friday    | 12,720		| +3,750
| Saturday  | 9,600		| +3,010

Apart from a slight spike on Tuesday, this is basically flat. I'll
probably not bother to report such flat numbers in detail in the
future. (This table is still built by hand in a relatively hacky
way. Besides, it takes up space.)

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 212.216.176.0/24       5708    282K
 81.56.74.165           5292    269K
 69.105.51.114          3813    178K
 66.62.47.34            3179    191K
 80.128.0.0/12          2982    144K
 69.15.141.50           2684    129K
 213.96.252.240         2621    157K
 219.238.168.124        2275    109K
 213.123.26.91          2050   98400
 219.128.0.0/12         1861   95064

This week's kernel level rejection stats are remarkably low.

* 80.128.0.0/12 is a Deutsche Telekom block, apparently all
  dialups. DT has a serious open proxy problem, one virulent enough
  that we have firewalled their entire IP blocks for some time rather
  than play whack-a-mole.
* reappearing from before are [[81.56.74.165|SpamSummary-2005-12-03]],
  [[69.105.51.114|SpamSummary-2005-11-12]], and
  [[66.62.47.34|SpamSummary-2005-12-03]]. (Two of them from last week,
  even.)
* 69.15.141.50 is on list.dsbl.org.
* 219.238.168.124 is a Chinese IP address with no reverse DNS.
* 213.96.252.240 and 213.123.26.91 both tried to feed us bad _HELO_
  names too often. Since 213.96.252.240 is a rima-tde.net IP address
  (with generic reverse DNS), I'm not terribly charitable towards it
  to start with. 213.123.26.91 is interesting; it is one of the
  machines that are 'smtpout.btconnect.com', but it _HELO_'d
  repeatedly as 'hesl02uker.he.local'.

Connection time rejection stats:
   15345 total
    7443 dynamic IP
    4688 bad or no reverse DNS
    1816 class bl-cbl
     325 class bl-ordb
     305 class bl-sbl
     300 class bl-dsbl
     139 class bl-spews
     103 class bl-njabl
     101 class bl-sdul
       8 class bl-opm

There are no particularly prolific single IP addresses.

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 716 | 67 | 704 | 65
| Bad bounces | 135 | 99 | 178 | 118

Bounces continue to slide, leading me to hope that spammers have more
or less given up forging our domains as the _MAIL FROM_ of their spam
runs. The clear champion of bad _HELO_ names is 69.105.51.114, a
PacBell ADSL line (sigh); 213.123.26.91 comes in third.

(This is somewhat variable, as we don't promote IP addresses into the
kernel blocklists on any predictable schedule. Possibly I should
change that.)