== Weekly spam summary on March 4th, 2006

It's time for another weekly spam summary. First, let's look at Hotmail,
which turns out to be running roughly the same as [[last week
SpamSummary-2006-02-25]]:

* no messages accepted.
* 12 messages rejected because they came from non-Hotmail email
  addresses.
* 49 messages sent to our spamtraps.
* 2 messages refused because their sender addresses had already hit
  our spamtraps.
* 6 messages refused due to their origin IP address (two in the
  SBL, one in each of the XBL and the CBL, one from Nigeria, and
  one from SAIX).

Hotmail might get points, except for two things: first, the spamtrap
hits still show that far too much spam is coming from Hotmail,
and second Hotmail started letting their webmail spammers use
'user@sympatico.ca' addresses this week. I feel for the Sympatico
users who are about to get their email dumped by all sorts of people
as a result of this.

The basic volume numbers:

* got 13,466 messages from 215 different IP addresses.
* handled 17,446 sessions from 769 different IP addresses.
* received 122,475 connections from at least 43,529 different IP
  addresses.
* a highwater of 11 connections being checked at once.

All of this is slightly down from [[last week]] (except for the
highwater, which means we had a larger burst of connections some
time this week). The per day numbers are *remarkably* flat:

| Day             | Connections     | different IPs       
| Sunday          | 16,862          | +7,000              
| Monday          | 18,662          | +6,770              
| Tuesday         | 18,571          | +6,273              
| Wednesday       | 15,914          | +5,448              
| Thursday        | 18,263          | +6,027              
| Friday          | 18,700          | +6,287              
| Saturday        | 15,503          | +5,724              

I have no explanation for the dip on Wednesday.

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 200.46.208.94          7106    361K
 61.128.0.0/10          4000    211K
 212.216.176.0/24       3980    193K
 80.190.233.48          2914    175K
 88.225.43.100          2242    103K
 220.160.0.0/11         2123    109K
 205.206.209.28         2017   92872
 219.128.0.0/12         1964    101K
 212.154.186.245        1961   94128
 221.216.0.0/13         1908   97452

* 200.46.208.94 tripped our spamtrap detectors and then kept on
  mailing, I believe with phish email.
* 80.190.233.48 and 205.206.209.28 reappear from [[last week]].
* 88.225.43.100 is a Turkish IP address that's on the CBL.
* 212.154.186.245 is a Kazakhstan IP address in dnsbl.njabl.org as
  an open relay.

Connection time rejection stats:

   25306 total
   12030 dynamic IP
    9292 bad or no reverse DNS
    2784 class bl-cbl
     292 class bl-ordb
     179 class bl-dsbl
     121 class bl-spews
     104 class bl-sbl
      98 class bl-sdul
      43 class bl-njabl
      27 class bl-opm

Only one IP address, 221.139.219.164, was refused more than 100 times.
Thirteen of the top 30 most refused IPs are currently in the CBL and
eight are currently in _bl.spamcop.net_; none are in the SBL.

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 331 | 34 | 1736 | 123
| Bad bounces | 119 | 45 | 249 | 122

This is about back to the [[old low numbers SpamSummary-2006-02-04]] at
last. The leading contestant in the bad _HELO_ numbers is 62.49.123.163
(claiming to be _webserver.nss.local_), with 141 rejections.