== Weekly spam summary on June 17th, 2006

This week, we:

* got 12,612 messages from 249 different IP addresses.
* handled 17,714 sessions from 803 different IP addresses.
* received 245,591 connections from at least 48,624 different IP
  addresses.
* hit a highwater of 8 connections being checked at once.

Connection volume is up substantially from [[last week
SpamSummary-2006-06-10]], although nothing else seems to
be up much (especially the highwater). The per day table:

| Day             | Connections     | different IPs       
| Sunday          | 19,554          | +9,196              
| Monday          | 17,987          | +7,349              
| Tuesday         | 19,967          | +6,725              
| Wednesday       | 19,737          | +6,848              
| Thursday        | 23,173          | +7,102              
| Friday          | 21,914          | +6,399              
| Saturday        | 123,259         | +5,005

In other words, we did about half this week's connection volume
today. That would be yet another spam storm in progress.

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 204.202.15.180        18790    927K
 199.239.233.177       13568    669K
 220.229.62.220        12171    619K
 198.66.222.14         11162    551K
 204.202.9.161          7360    363K
 198.66.222.20          6693    330K
 61.128.0.0/10          6003    303K
 218.0.0.0/11           4885    242K
 200.83.2.213           4765    286K
 155.212.2.42           4667    230K

This is well up from [[last week]], especially at the quite aggressive
top end; it's been quite a while since we had a week with that many IP
addresses sending us over 10,000 fruitless packets.

* 204.202.15.180, 199.239.233.177, 204.202.9.161, 198.66.222.14, and
  198.66.222.20 were all sources of phish spam that hit our spamtraps
  (I can tell from the _MAIL FROM_ addresses). (Two actually made our
  lists back [[in May SpamSummary-2006-05-27]].)
* 155.212.2.42 hit our spamtraps and kept on sending madly, but I'm
  not sure whether it was phish spam or regular spam.
* 220.229.62.220 reappears from [[last week]], still with bad reverse
  DNS.
* 200.83.2.213 is a Chilean IP address with bad reverse DNS, probably
  part of vtr.net.

Clearly this is the week of phish spam. Somewhat to my surprise the
prolific sending boxes are not Windows machines; they all seem to be
running Sendmail or Postfix, likely on Unix. I'm disappointed that so
many Unix boxes seem to be getting hijacked by the phish spammers. (All
of these machines got rejected with _MAIL FROM_s that were clearly set
by the spammers to look more authentic, so I don't think this is just
the usual case of a 'send mail to people' CGI-BIN getting abused.)

Connection time rejection stats:

   46264 total
   21356 bad or no reverse DNS
   21158 dynamic IP
    2284 class bl-cbl
     255 class bl-dsbl
     203 class bl-sdul
      67 class bl-njabl
      44 class bl-spews
      31 class bl-ordb
      29 class bl-sbl

The usual suspects are up substantially from [[last week]]. This
week was also the week of *really* aggressive connection attempts;
three IP addresses were rejected more than a thousand times. The
top five are:

    1713 200.83.2.213
    1162 218.254.83.47
    1161 218.254.82.97
     433 211.144.69.247
     172 61.247.78.210

Of the 30 most rejected IP addresses, 29 were rejected more than
100 times. 25 are currently in the CBL, 14 are currently in
_bl.spamcop.net_, and 211.144.69.247 is in [[SBL42856
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL42856]] as
being under the control of the ROKSO-listed [[Mailtrain
http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=MailTrain]]
(it's also in the CBL, so it's probably a compromised machine).

Hotmail's numbers for this week:

* 2 messages accepted.
* 4 messages rejected because they came from non-Hotmail email
  addresses (all from other Hotmail properties).
* 10 messages sent to our spamtraps.
* 1 message refused because its sender address had already hit
  our spamtraps.
* 1 message refused due to its origin IP address being in the SBL
  (196.3.62.3, in *two* SBL listings: [[SBL31791
  http://www.spamhaus.org/SBL/sbl.lasso?query=SBL31791]] and [[SBL35001
  http://www.spamhaus.org/SBL/sbl.lasso?query=SBL35001]], both of which
  date from late 2005, both of which are listed for advance fee fraud spam
  *sent through Hotmail*).

These numbers are a disappointment, although they're not catastrophic.
I am particularly irked by Hotmail's willingness to continue to accept
email from places that have spammed through it before.

And the final set of numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 375 | 54 | 727 | 47
| Bad bounces | 25 | 13 | 34 | 18

We had two bounces to the 38-character hex string from [[before
SpamSummary-2006-05-06]], but also another bounce to a new 38-character
hex string, _8B407639D45C5742ADD3987F7E013C41288C3A_ (which I am about
to become the only Google hit for, just like with the other one). The
most prolific bad bounce destination this week was _noreply_, followed
by a bunch of old usernames, some garbage alphanumeric sequences, and
one bounce to an all-digit username.