This week we received 12,270 email messages from 159 different IP addresses. Our SMTP server handled 31,972 sessions from 2,643 different IP addresses. Session volume is down from last week, which is a relief, although it's not back down to the historical levels yet.

However, connection volume has not dropped substantially from last week: 260,000 connections from at least 53,760 different IP addresses, with a highwater of 12 simultaneous connections being checked. Oddly, the number of different IPs has jumped substantially. Broken down by days:

Day	Connections	different IPs
Sunday	69,300	+7,220
Monday	34,460	+7,900
Tuesday	33,860	+7,880
Wednesday	28,000	+8,120
Thursday	34,460	+8,290
Friday	33,630	+8,310
Saturday	26,060	+6,040

The connections per day shows the major spam overhang from last weekend, followed by a fairly constant rain of incoming connections over the rest of the week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
131.96.2.25           19352    973K
62.94.0.30            18992    848K
68.79.138.146          7596    334K
63.149.9.38            6931    319K
213.4.129.129          6738    309K
193.74.71.23           6699    402K
69.18.40.198           6541    314K
155.91.6.71            5641    278K
205.169.191.25         5193    249K
66.193.219.10          5090    224K

The packet stats are up a fair bit from last week, with two runaway winners (although not quite at the level of last week's grand champion).

• 131.96.2.25 got blocked for sending us too much spam backscatter, and apparently kept generating it quite actively.
• 62.94.0.30 continues from last week, still using its bad HELO name.
• 68.79.138.146, 69.18.40.198, 155.91.6.71, and 205.169.191.25 all spewed bad HELO names at us.
• 63.149.9.38 and 66.193.219.10 are both considered 'dialup' machines.
• 213.4.129.129 is terra.es's main outbound server and has been blocked here for ages for being an active spam source.
• 193.74.71.23 sent mail to a spamtrap and then kept trying to send more email to us with the same MAIL FROM.

Connection time rejection stats:

  46350 total
  27594 dynamic IP
  12425 bad or no reverse DNS
   4438 class bl-cbl
    527 class bl-spews
    321 class bl-dsbl
    247 class bl-sdul
    191 class bl-sbl
     97 class bl-ordb
     16 class bl-opm
      7 class bl-njabl

The CBL and generic 'dynamic/dialup' hits are up compared to last week and dominate the rejection rate, which is a strong sign that many of the connection attempts are spam delivery attempts from compromised machines. A number of IPs made hundreds of attempts to connect to us (the most active was 200.140.20.17, with 424 attempts), and of the top 30 connecting IPs, 24 of them are on the CBL.

The other numbers aren't as bad as last week, but they're still not pleasant:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	12700	578	36016	888
Bad bounces	4196	1123	15450	3456

I think that both dropping a lot show that most of this week's load is direct spam, instead of backscatter from spammers forging our domains in their MAIL FROM.

And to round out the last entry of the (nominal) year, here's the less depressing than usual Hotmail numbers:

• five email messages accepted, at least one of which seems to have been a spam backscatter bounce.
• 100 messages rejected because they came from non-Hotmail email addresses.
• 36 messages sent to our spamtraps.
• 10 messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one for being in the SBL and one from a telkom.co.za DSL line that's also on the CBL).

Apparently a number of Hotmail's spammers do take the holidays off.

Welcome to 2006. May it have less spam than 2005.