== Weekly spam summary on July 15th, 2006 This week, we: * got 12,289 messages from 220 different IP addresses. * handled 18,265 sessions from 954 different IP addresses. * received 143,889 connections from at least 48,413 different IP addresses. * hit a highwater of 14 connections being checked at once. Session volume is up slightly from [[last week SpamSummary-2006-07-08]], but everything else is down. The per day table is relatively boring, so I'm omitting it this week. Kernel level packet filtering top *eleven*: Host/Mask Packets Bytes 209.216.205.162 16293 717K 210.245.161.90 12190 731K 218.0.0.0/11 7848 383K 213.4.149.12 7830 407K 61.128.0.0/10 4919 257K 212.216.176.0/24 4779 244K 195.39.69.48 4509 271K 62.149.158.91 4142 249K 220.160.0.0/11 3573 176K 66.193.15.20 3119 187K 218.254.82.97 3111 149K The bottom of the top eleven is about the same volume as [[last week]], but the top end is much higher. * 209.216.205.162 kept trying to send email from an email address that had hit a spamtrap. * 210.245.161.90 is a Hong Kong IP address with no reverse DNS, and is also in the CBL. * 213.4.149.12 returns from [[last week]], still with a bad _HELO_. * 195.39.69.48 is a Czech IP address with no reverse DNS (and is in _spam.dnsbl.sorbs.net_). * 62.149.158.91 is an aruba.it webmail machine; we now refuse all of them afte too much spam from aruba.it. * 66.193.15.20 kept trying to send email from an email address that had already hit a spamtrap, in this case '_women@city.localevents.com_'. * our old friend 218.254.82.97 from [[last week]] and before is at #11, just barely failing to make the top ten list, but I included it anyways. I'm not too happy with 'city.localevents.com', as this is the second time they've hit our spamtraps with something (both times from 66.193.15.20). They may get banned entirely if this happens again. Connection time rejection stats: 40160 total 18979 dynamic IP 16601 bad or no reverse DNS 2767 class bl-cbl 520 class bl-njabl 172 class bl-ordb 152 class bl-dsbl 133 class bl-sbl 127 class bl-sdul 40 class bl-spews The top three are down significantly from [[last week]], but the other numbers haven't budged much (the CBL rejections are even up slightly). Eighteen of the top 30 most rejected IP addresses were rejected more than 100 times, with 84.229.4.87 the winner at 307 rejections. 203.197.246.51 (245 rejections) and 82.232.29.56 (222 rejections) collect second and third place. 20 of the top 30 are currently in the CBL and 5 are currently in _bl.spamcop.net_. Hotmail had a so-so week: * 1 message accepted. * 2 messages rejected because they came from non-Hotmail email addresses. * 10 messages sent to our spamtraps. * no messages refused because their sender addresses had already hit our spamtraps. * no messages refused due to their origin IP address As with [[last week]], Hotmail continues to have spammers but they keep mailing our spamtraps instead of our real users. I suppose this is better than the alternative, and I have to admit that the volume stats are down a *lot* from the [[heights of the problem SpammerRoundupI]]. And the closing numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 1422 | 70 | 608 | 56 | Bad bounces | 127 | 108 | 88 | 62 Leading contributors to the bad _HELO_s are 209.97.195.183 (356 rejections), 212.122.235.35 (172), 62.42.227.11 (89), and 212.150.140.50 (83), but there's no really big point source for the big _HELO_ jump. Bad bounces went to a lot of usernames this week, most of them clearly made up by spammers (mostly in a pattern of letters with a few digits at the end). But the leading username for bounces was '_books_' (12 times), there were some bounces to long since dead accounts, one bounce to '_35_', and two bounces to one of the 38-character hex strings and one bounce to another one. Those hex strings really make me wonder. Oh well, spammers are peculiar.