== Weekly spam summary on April 1st, 2006 Let's see what sort of April Fools joke the spammers have been having this week. This week, we: * got 14,298 messages from 221 different IP addresses. * handled 18,642 sessions from 966 different IP addresses. * received 153,366 connections from at least 49,555 different IP addresses. * hit a highwater of 17 connections being checked at once. Connection volume is up from [[last week SpamSummary-2006-03-25]], but session volume is down somewhat. That's got a simple meaning: more spammers being dumped at connection time. The per day table runs: | Day | Connections | different IPs | Sunday | 21,525 | +9,017 | Monday | 21,430 | +7,776 | Tuesday | 27,890 | +6,457 | Wednesday | 23,531 | +5,822 | Thursday | 19,097 | +6,309 | Friday | 19,609 | +7,180 | Saturday | 20,284 | +6,994 Conclusion: the spam attack from [[last week]] is continuing, with a spike Tuesday for some reason. It would be handy if the spammer show came with a program guide. Kernel level packet filtering top ten: Host/Mask Packets Bytes 193.70.192.0/24 16183 730K 212.216.176.0/24 7320 365K 61.128.0.0/10 5531 287K 209.94.102.72 4599 234K 211.136.0.0/14 4123 247K 168.243.89.68 2699 162K 218.0.0.0/11 2255 113K 221.216.0.0/13 2247 114K 219.238.168.124 2112 101K 24.13.143.139 2042 98016 Continuing the trend from [[last week]], _libero.it_ and _tin.it_ really tried to dump a lot of stuff on us (they're the top two entries on the list). * 209.94.102.72 was blocked for hitting spamtraps and then keeping on sending us spammy-looking stuff. * 168.243.89.68 is a San Salvador based IP address with bad reverse DNS. * 219.238.168.124 returns from [[last week]]. * 24.13.143.139 is a Comcast cablemodem, and is listed in a number of DNS blocklists (including _bl.spamcop.net_). Connection time rejection stats: 36261 total 19955 dynamic IP 11044 bad or no reverse DNS 3677 class bl-cbl 270 class bl-dsbl 249 class bl-ordb 232 class bl-sbl 137 class bl-sdul 105 class bl-njabl 83 fairgamemail.us 67 class bl-spews 38 SKYLIST INC 69.56.0.0/18 22 class bl-opm Unlike [[last week]], this week _fairgamemail.us_ is trying to spam us from *two* netblocks. They hit us from both 209.124.72.0/24 and the new 204.14.1.0/24, under 'VX Commit, LLC', 204.14.0.0/21. VX Comit LLC's entire /21 is in the SBL as [[SBL27197 http://www.spamhaus.org/sbl/sbl.lasso?query=SBL27197]]; according to the listing they are also known as '247 Surf Net'. Out of the top 30 most rejected IP addresses, three were rejected 100 times or more. The most prolific was 64.71.157.243 (in the SBL as part of [[SBL39167 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL39167]]), rejected 139 times. Twelve of the top 30 are currently in the CBL, nine are currently in _bl.spamcop.net_, and only the one is currently in the SBL. Other numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 654 | 66 | 714 | 68 | Bad bounces | 98 | 81 | 108 | 85 I can take some comfort that these are low, and there are relatively few IP addresses involved. By this point, a certain amount of bad bounces are probably just the inevitable background noise of the Internet, much like [[ssh brute force scans ../linux/StoppingSshScanning]]. And finally the Hotmail numbers: * 12 messages accepted; shockingly, these were all legitimate. * 1 message rejected because it came from a non-Hotmail email address. * 19 messages sent to our spamtraps. * 13 messages refused because their sender addresses had already hit our spamtraps. * 5 messages refused due to their origin IP address (2 for being in the SBL, 1 for being in the CBL, one from SAIX, one from Ghana). The SBL rejections are for the same IP address, 62.59.40.138, which is [[SBL33051 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL33051]]. It was one of the ones that hit us [[last week]], as recounted in my [[revised Hotmail stats HotmailStatsRevised]]. I'm not very happy that it can still spew advance fee fraud spam through Hotmail. (Don't get too enthused at 12 legitimate emails from Hotmail; 11 of them were from one person.)