== Weekly spam summary on April 29th, 2006

This week's statistics are distorted by a Wednesday noon system reboot
that had the effect of resetting some of them. Having said, that, this
week we:

* got 11,083 messages from 230 different IP addresses.
* handled 15,463 sessions from 840 different IP addresses.
* received 88,321 connections from at least 28,538 different IP
  addresses *since Wednesday noon*.
* hit a highwater of 38 connections being checked at once,
  *since Wednesday noon*.

To the extent that I can tell, this looks like it's somewhat down
from [[last week SpamSummary-2006-04-22]]. It looks like total
connection volume would have been around 130,000 or so this week
if the reboot hadn't happened. Obviously the per-day table is
completely useless this week.

Kernel level packet filtering top ten, since Wednesday noon:

 Host/Mask           Packets   Bytes
 85.15.204.205          6999    420K
 142.150.228.9          5149    275K
 212.216.176.0/24       2601    130K
 202.43.219.0/24        1734   87880
 71.101.115.35          1642   78816
 212.71.30.86           1563   93780
 221.216.0.0/13         1359   66340
 193.113.160.15         1312   83968
 61.128.0.0/10          1312   65480
 141.168.4.98           1281   65164

This looks a lot like [[last week]] in terms of the numbers, which is
probably bad because last week's numbers were atypically low.

* 85.15.204.205 used a bad _HELO_ name a lot.
* 142.150.228.9 is a University of Toronto machine that has a bad
  _HELO_, which neatly points out a bug in my support scripts; I'm
  supposed to exclude all of our own machines from getting added
  to the kernel IP blocks.
* 71.101.115.35 is a Verizon DSL 'dialup' machine.
* 212.71.30.86 is in [[NJABL http://www.njabl.org/]].
* 193.113.160.15 is a _mail.o2.co.uk_ machine that keeps trying to
  send us advance fee fraud spam from their webmail system.
* 141.168.4.98 is a bigpond.net.au cablemodem.

Connection time rejection stats:

   47114 total
   23796 dynamic IP
   18622 bad or no reverse DNS
    3008 class bl-cbl
     348 class bl-dsbl
     165 class bl-ordb
     165 class bl-njabl
     124 class bl-sdul
      40 class bl-sbl
      35 class bl-spews
       2 class bl-opm

These are full-week stats; we've popped back to regular levels after
the whole CBL-first exercise of [[last week]]. Some people from
65.109.239.0/24 showed up again this week; we blocked them because
of [[tucksprofessionalservices.com SpamSummary-2006-02-11]], which
I see is still there at 65.109.239.171. The two IP addresses that
poked us are 65.109.239.110 (in _bl.spamcop.net_ right now) and
65.109.239.194 (which is listed in spam.dnsbl.sorbs.net for
sending mail to their spamtraps).

Hotmail mail volume is way down this week:

* no messages accepted.
* 1 message rejected because it came from a non-Hotmail email
  address (again a _hotmail.fr_ address).
* 9 messages sent to our spamtraps.
* no messages refused because they'd already hit our
  spamtraps or because of their origin IP address.

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 346 | 40 | 953 | 44
| Bad bounces | 29 | 23 | 21 | 16

This is down in the noise, especially considering that the top three
sources of bad _HELO_s were 55% of the rejections all on their own.