== Weekly spam summary on September 2nd, 2006 Our SMTP frontend survived all this week without problems, which was something of an accomplishment this week. Because this week, we: * got 13,546 messages from 227 different IP addresses. * handled 19,984 sessions from 1,283 different IP addresses. * received ~~1,419,542~~ connections from at least 52,806 different IP addresses. * hit a highwater of 9 connections being checked at once. Yes, that is not a typo; this week we had a *lot* of SMTP connections, although none of the other numbers are up much compared to [[last week SpamSummary-2006-08-26]]. It's not a continuation of the spam storm from last Saturday either, as the per-day numbers show: | Day | Connections | different IPs | Sunday | 20,593 | +7,285 | Monday | 23,676 | +7,944 | Tuesday | 28,816 | +9,029 | Wednesday | 252,349 | +7,809 | Thursday | 712,787 | +8,161 | Friday | 364,505 | +7,540 | Saturday | 16,816 | +5,038 Kernel level packet filtering top ten: Host/Mask Packets Bytes 213.4.149.12 10704 557K 216.64.54.146 4490 216K 61.128.0.0/10 3609 190K 218.0.0.0/11 2976 145K 204.13.82.45 2405 144K 212.216.176.0/24 2367 119K 219.128.0.0/12 2330 116K 217.224.0.0/13 2226 107K 66.112.87.66 2215 106K 212.175.13.129 2114 127K The overall volume is down from last week, with only one entry really sticking out. * 213.4.149.12 returns from [[last week]] and many prior weeks. * 216.64.54.146, 66.112.87.66, and 212.175.13.129 had bad _HELO_ greetings. * 204.13.82.45 is '_mailout45.inetekk.com_'. We have had prior dealings with inetekk that make us disinclined to ever accept email from them again. Connection time rejection stats: 38665 total 18228 dynamic IP 15060 bad or no reverse DNS 2176 class bl-cbl 1381 class bl-sbl 547 class bl-dsbl 280 class bl-njabl 251 class bl-sdul 159 class bl-spews 84 class bl-ordb Oddly, despite the huge connection volume there is no real growth in these stats compared to [[last week]]. I don't have any explanation for this. Six of the top 30 most rejected IP addresses were rejected 100 times or more, with the leader being 200.216.54.234 (197 times, rejected for having no reverse DNS). 15 of the top 30 are currently in the CBL, six are currently in _bl.spamcop.net_, and two are in the SBL. Somewhat to my surprise only one of those two is our non-friends at Cutting Edge Media (this week reporting in from 208.32.133.155). The other is 213.154.92.143, which is part of [[SBL21128 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL21128]], which is a /23 listing that is (to quote the listing) '419 scam sources in Senegal'. For extra displeasure, this listing was created November 14th, ~~2004~~. Hotmail's stats this week are an improvement over [[last week]]: * 1 message accepted. * 1 message rejected because it came from a non-Hotmail email address; it was pretty certain to have been advance fee fraud spam. * 25 messages sent to our spamtraps. * 2 messages refused because their sender addresses had already hit our spamtraps. * 2 messages refused due to their origin IP address (one for being in the CBL, one for being from Cote d'Ivoire). And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 2258 | 140 | 1557 | 110 | Bad bounces | 263 | 233 | 323 | 285 There were four people who sent 100 or more bad _HELO_s before being blocked, but the volume seems to be more or less fairly distributed; there are no single runaway sources. The most popular bad username to send stuff to continues to be '_noreply_', which perhaps shouldn't be surprising. In aggregate, the most popular bounce destination is random alphabetic strings, each one used only one time.