== Weekly spam summary on May 20th, 2006

This week we:

* got 12,292 messages from 221 different IP addresses.
* handled 16,875 sessions from 807 different IP addresses.
* received 125,999 connections from at least 41,642 different IP
  addresses.
* hit a highwater of 11 connections being checked at once.

Nothing went wrong this week, thank goodness; no reboots, no SMTP
frontend restarts, nothing.
Weekly volume seems to be back to the normal level when things are
quiet; there's no sign of [[last week SpamSummary-2006-05-13]]'s Sunday
spike. The per-day statistics are sufficiently boring and flat (peaking
at 20,000 connections on Wednesday) that I'm not going to put them in.

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 218.254.83.47         11876    570K
 67.42.71.124           4672    224K
 212.216.176.0/24       4390    219K
 61.128.0.0/10          3781    190K
 66.58.176.187          2925    149K
 218.0.0.0/11           2583    131K
 220.160.0.0/11         2449    122K
 219.128.0.0/12         2069    104K
 72.244.167.83          2027   94761
 221.216.0.0/13         1909   94116

This is very similar to [[last week]]'s numbers, down to the first
place finisher.

* 218.254.83.47 returns from [[last week]].
* 67.42.71.124 is on the [[DSBL http://dsbl.org/]].
* 66.58.176.187 and 72.244.167.83 are both 'dialup' machines as far as
  we can tell from their generic DNS names.

Connection time rejection stats:

   35861 total
   17407 dynamic IP
   14992 bad or no reverse DNS
    2390 class bl-cbl
     278 class bl-dsbl
     135 class bl-sdul
      81 class bl-njabl
      69 class bl-sbl
      63 class bl-ordb

Out of curiosity, I took a look at the SBL rejections; the results
are kind of depressing. The 69 rejections were of 13 different IP
addresses; only two IP addresses (5 rejections total) were *not*
listed for being advance fee fraud sources.

Twelve out of the top 30 most rejected IP addresses were rejected more
than 100 times; the top rejection source was our friend 218.254.83.47
(497 times before it was re-blocked at the kernel level). 26 of the top
30 most rejected IP addresses are currently in the CBL; six of them are
currently in _bl.spamcop.net_.

Hotmail is backsliding; perhaps I should be surprised. This week's
stats:

* 1 message accepted, which was spam (I know, because I got it).
* 1 message rejected because it came from a non-Hotmail email
  address.
* 10 messages sent to our spamtraps.
* no messages refused because their sender addresses had already hit
  our spamtraps.
* 1 message refused due to its origin IP address being in the CBL.

The last set of numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 597 | 48 | 448 | 49
| Bad bounces | 30 | 26 | 10 | 10

Oh well, so much for not getting very many bounces. (I suppose
this still qualifies by other people's standards). As with [[last
week]], (just) over half the bad _HELO_s came from 213.123.26.0/24,
_btconnect.com_'s outgoing SMTP server pool. The odds of this changing
any time soon seems low.