== Weekly spam summary on July 22nd, 2006

We rebooted this server Monday around 6:50pm, so a number of the stats
are truncated this week. Having said that, this week, we:

* got 11,369 messages from 257 different IP addresses.
* handled 15,931 sessions from 851 different IP addresses.
* received 87,698 connections from at least 31,657 different IP
  addresses since Monday evening.
* hit a highwater of 6 connections being checked at once since
  Monday evening.

It appears as if this week's connection volume is down significantly
from [[last week SpamSummary-2006-07-15]]. I have no particularly good
explanation why, but I like it.

Kernel level packet filtering top ten since Monday evening:

 Host/Mask           Packets   Bytes
 213.4.149.12           9132    475K
 81.88.225.210          7796    428K
 218.0.0.0/11           6990    340K
 212.216.176.0/24       4960    248K
 210.54.141.0/24        4303    207K
 61.128.0.0/10          3196    168K
 129.206.210.211        2969    129K
 72.244.103.210         2488    116K
 128.121.94.189         2318    114K
 204.181.35.187         2145    109K

* 213.4.149.12 returns from [[last week]].
* 81.88.225.210 is mailupnet.it aka mailup.info aka people we have no
  interest in ever accepting email from again.
* 129.206.210.211 and 128.121.94.189 both hit our spamtraps and kept
  on sending, likely with phish spam in both cases.
* 72.244.103.210 is something we consider a covad.net 'dialup' machine.
* 204.181.35.187 is on the NJABL.

Connection time rejection stats, from Monday evening:

   27275 total
   11820 dynamic IP
   11820 bad or no reverse DNS
    1696 class bl-cbl
     591 mailup.info
     243 class bl-njabl
     207 dartmail.net
     118 class bl-sdul
     108 class bl-dsbl
      92 class bl-sbl
      58 class bl-spews
      42 class bl-ordb

Five of the top 30 most rejected IP addresses were rejected more than
100 times; the winner is 81.88.225.210, rejected 591 times. 13 of the
top 30 are currently in the CBL, six are currently in _bl.spamcop.net_,
and one, 213.154.94.190, is in the SBL as part of [[SBL21129
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL21129]]. It's an advance
fee fraud spam source, of course.

Hotmail is backsliding. This week, it had:

* no messages accepted.
* 2 messages rejected because they came from non-Hotmail email
  addresses.
* 14 messages sent to our spamtraps.
* no messages refused because their sender addresses had already hit
  our spamtraps.
* 3 messages refused due to their origin IP address being in the SBL.
  All three came from 66.178.40.27, in [[SBL27471
  http://www.spamhaus.org/SBL/sbl.lasso?query=SBL27471]], which has
  been listed since February 7th. Worse, the SBL page shows evidence
  of spam through Hotmail as far back as September 10th 2005.

I especially displeased by the 'rejected for being in the SBL'
messages.

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 307 | 45 | 1422 | 70
| Bad bounces | 38 | 34 | 127 | 108

I'm pleased to see this drop; evidently [[last week]] was just
exceptional.

For the first time in a while, none of the various 38-character hex
strings got any bounces. Instead, everything went to all of the other
usual suspects.

(I am short on sleep, so this summary is more uninspired than usual.)