== Weekly spam summary on August 12th, 2006 This week, we: * got 12,152 messages from 212 different IP addresses. * handled 16,255 sessions from 790 different IP addresses. * received 124,287 connections from at least 41,964 different IP addresses. * hit a highwater of 6 connections being checked at once. This is down from [[last week SpamSummary-2006-08-05]]. I don't expect it to stay that way, although I can hope that spammers take August vacations too. Speaking of vacations, the per day table is interesting this week: | Day | Connections | different IPs | Sunday | 20,728 | +7,446 | Monday | 22,408 | +7,310 | Tuesday | 20,438 | +6,516 | Wednesday | 18,853 | +6,445 | Thursday | 17,164 | +5,448 | Friday | 15,252 | +5,560 | Saturday | 9,444 | +3,239 Kernel level packet filtering top ten: Host/Mask Packets Bytes 204.200.222.245 10466 516K 213.4.149.12 8151 424K 204.200.195.72 7544 372K 210.245.60.162 7294 322K 217.224.0.0/13 3555 171K 62.212.90.203 3374 167K 200.46.151.14 3193 149K 61.128.0.0/10 3079 154K 80.128.0.0/12 3037 154K 195.39.69.48 2688 161K Although the high is lower, overall this is up from [[last week]]. * 204.200.222.245 and 204.200.195.72 got blocked for hammering on us with stuff that had already hit spamtraps, probably phish spam. * 213.4.149.12 (bad _HELO_), 210.245.60.162 (bad reverse DNS), and 62.212.90.203 (bad reverse DNS) return from [[last week]]. * 200.46.151.14 is an IP address in Panama without reverse DNS. Connection time rejection stats: 31230 total 13988 bad or no reverse DNS 13858 dynamic IP 2242 class bl-cbl 204 class bl-njabl 147 class bl-sbl 141 class bl-sdul 95 class bl-dsbl 77 class bl-ordb 18 class bl-spews I am starting to get curious about why the [[NJABL http://www.njabl.org/]] is such a consistent good performer for us. (Admittedly it is not by much compared to the CBL, but still.) Only three out of the top 30 most rejected IP addresses were refused more than 100 times this week; the winner is 69.244.42.28 (135 rejections, a Comcast cablemodem that is on a lot of DNSbls). 24 of the top 30 are currently in the CBL, 8 are currently in _bl.spamcop.net_, and one is in the SBL. The one in the SBL appears to be a genuine spammer: 208.32.133.155, 'Cutting Edge Media', [[SBL45150 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL45150]] (which lists the entire /24). It provided 61 of the SBL hits this week; the big other contributors are 194.165.130.93 (22 hits, [[SBL43698 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL43698]], caught scanning for vulnerable webforms that spammers exploit), 194.85.87.50 (13 hits, [[SBL41338 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL41338]], spam source), and 208.32.133.156 (11 hits, also Cutting Edge Media and [[SBL45150]]). Hotmail slid right downhill this week: * 1 message accepted, and it was almost certainly spam. * 8 messages rejected because they came from non-Hotmail email addresses. * 15 messages sent to our spamtraps. * 4 messages refused because their sender addresses had already hit our spamtraps. * 2 messages refused due to their origin IP address (one for being [[SBL42606 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL42606]], and 196.207.1.214 for being in the CBL (among other problems)). I'm not impressed. And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 301 | 44 | 474 | 42 | Bad bounces | 25 | 23 | 28 | 25 And another week closes without any bounces trying to go to those mysterious 38-character hex strings.