== Weekly spam summary on March 11th, 2006 Hotmail had an amazingly good week this time around: * 5 messages accepted. * 2 messages rejected because they came from non-Hotmail email addresses. * *no* messages sent to our spamtraps. * 6 messages refused because their sender addresses had already hit our spamtraps. * only 1 message refused due to the origin IP address being in the CBL (and now in the SBL, as [[SBL34115|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL34115]]). Muting the happiness is the fact that the one CBL-rejected message was from a sympatico.ca address, and several of the emails accepted from Hotmail were from suspicious sympatico.ca usernames like 'delottonederlands' and '[[winning_notificationmail2000|]]'. Hotmail is evidently not quite there just yet, although at this rate I'm going to stop leading the reports with them. The basic volume numbers: * got 13,413 messages from 221 different IP addresses. * handled 18,299 sessions from 846 different IP addresses. * received 205,332 connections from at least 40,047 different IP addresses. * a highwater of 19 connections being checked at once. The number of connections is up drastically from [[last week SpamSummary-2006-03-04]], but everything else is more or less holding steady. The per day numbers are interesting: | Day | Connections | different IPs | Sunday | 18,451 | +6,591 | Monday | 21,571 | +6,572 | Tuesday | 16,567 | +5,197 | Wednesday | 74,330 | +6,007 | Thursday | 43,699 | +4,860 | Friday | 15,988 | +5,453 | Saturday | 14,726 | +5,367 Where [[last week]] had a dip on Wednesday, this week has a monstrous peak, tailing off into Thursday as well. The other days were pretty flat, so Wednesday and Thursday are pretty much where all of the extra connection volume came from; if not for them, we would have been down overall from [[last week]]. Kernel level packet filtering top ten: Host/Mask Packets Bytes 66.235.205.240 8268 408K 222.146.2.198 6759 333K 212.216.176.0/24 5135 257K 61.128.0.0/10 3254 167K 88.225.43.100 3024 139K 81.169.150.103 2501 150K 220.160.0.0/11 2366 122K 219.128.0.0/12 2113 108K 218.0.0.0/11 1875 95448 82.107.127.75 1761 106K * 66.235.205.240 spammed us as 'save-mihaita.org' and was blocked. Evidently it continues to be very aggressive. * 222.146.2.198, a Japanese IP address, was one of the probably compromised machines trying to send spam claiming to be from 'support@apaypal.com'. It's always nice to see phish spammers labeling their spam so clearly; it makes it much easier to block. * 88.225.43.100 reappears from [[last week]], now blocked for being without good reverse DNS; it's still on the CBL, though. * 81.169.150.103 is [[SBL38774|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL38774]], a phish spam source. * 82.107.127.75 is an interbusiness.it client machine, and we haven't talked to them for years. (Maybe someday interbusiness.it will clean up its spam problem *and* get people to believe it.) Connection time rejection stats: 26321 total 12533 dynamic IP 9039 bad or no reverse DNS 2553 class bl-cbl 516 class bl-dsbl 488 class bl-ordb 322 SKYLIST INC 69.56.0.0/18 185 class bl-spews 151 class bl-sbl 117 class bl-sdul 40 class bl-njabl 39 class bl-opm We have had 69.56.0.0/18 explicitly blocked for some time now; at the time when we did it, it was due to SBL9613. The SBL listing is now gone (although there is still a [[SPEWS listing http://spews.org/html/S1514.html]] for it), but as you can see our explicit block lit up significantly this week. The connections seem to have mostly come from machines in the recipes4eachday.com and recipe4living-mail.com domains, so I don't think we're missing much. Despite the connection volume power-up only one IP address was refused more than 100 times (81.86.27.181, with 173 attempts). Ten of the top 30 most refused IPs are currently in the CBL, one is currently in the SBL, and 12 are currently in _bl.spamcop.net_. The one SBL listed IP is 81.169.150.103, refused an even 50 times before we blocked it. And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 1121 | 68 | 331 | 34 | Bad bounces | 111 | 88 | 119 | 45 The champion of bad _HELO_s this week is 63.105.86.51, at 270 before it went into the kernel-level blocks. Also on my mental hitlist are 209.113.245.138 (94), 199.106.238.47 (88), 69.105.51.114 (80), 72.11.65.10 (63), and 207.101.116.51 (53).