== Weekly spam summary on February 25th, 2006

Here's how Hotmail stacks up this week:

* 4 messages accepted; unfortunately, one of them was definitely spam
  and at least two more probably were.
* 21 messages rejected because they came from non-Hotmail email
  addresses.
* 49 messages sent to our spamtraps.
* 4 messages refused because their sender addresses had already hit
  our spamtraps.
* 6 messages refused due to their origin IP address, all for being
  in the [[SBL http://www.spamhaus.org/sbl/]]; four from
  [[SBL17935|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL17935]],
  one from
  [[SBL27471|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL27471]],
  and one from
  [[SBL33955|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL33955]].

Pretty much everything is down compared to [[last week
SpamSummary-2006-02-18]]. Amazingly, Hotmail may actually be dealing
with their whole spam problem.

Next, the basic stats:
* got 14,001 messages from 235 different IP addresses.
* handled 19,476 sessions from 968 different IP addresses.
* received 132,936 connections from at least 46,917 different IP
  addresses.
* a highwater of only 6 connections being checked at once.

In short, things are down from [[last week]]. The per-day stats are
basically flat at ~18,000 connections a day, but jump to ~22,000 on
Sunday and Friday.

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 203.123.36.140         7213    433K
 212.216.176.0/24       4791    242K
 80.190.233.48          3743    225K
 61.128.0.0/10          3206    166K
 194.5.37.253           2994    170K
 68.107.219.194         2181    105K
 205.206.209.28         2174    100K
 219.128.0.0/12         2015    103K
 220.160.0.0/11         1916   98292
 69.239.229.58          1654   84104

While the most active contestant is higher, overall I'd have to say
that this is quieter than [[last week]]. All of the top individual
IP addresses are new.

* 203.123.36.140 and 80.190.233.48 don't have IP to name information.
* 68.107.219.194 and 69.239.229.58 smelled like DSL or cablemodem dynamic
  IP addresses to us.
* 194.5.37.253 tripped our spamtraps and then kept trying to send us
  tainted stuff, and is currently listed in bl.spamcop.net and in
  [[SORBS http://www.sorbs.net]]'s _spam_ zone for hitting their
  spamtraps.
* 205.206.209.28 is, whoops, a telus.com mail server that _HELO_'d with
  a bogus name a lot. Apparently it's running Microsoft Exchange.
  We may have to exempt it from the bad _HELO_ name checks.

Connection time rejection stats:

   28453 total
   13771 dynamic IP
   10160 bad or no reverse DNS
    3066 class bl-cbl
     325 class bl-ordb
     285 class bl-sbl
     222 class bl-spews
     120 class bl-sdul
     117 class bl-njabl
      86 class bl-dsbl
       4 class bl-opm

Bad reverse DNS is up this week compared to [[last week]], but that's
about it. For individual IPs, things are even more evenly distributed
this week, with only one IP address being refused more than 100 times
(202.175.50.201, 177 times). Eight of the top 30 most refused IPs are
currently in the [[CBL http://cbl.abuseat.org/]] and three are currently
in _bl.spamcop.net_; repeating [[last week]], none are in the [[SBL]].

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 1736 | 123 | 6167 | 364
| Bad bounces | 249 | 122 | 1994 | 1031

These numbers aren't yet down to the [[old low numbers
SpamSummary-2006-02-04]], but at least they're dropping from [[last
week]]'s levels. There are no really 'outstanding' sources; only one IP
address tried a bad _HELO_ more than a hundred times, for example.