== Weekly spam summary on September 9th, 2006 This week, we: * got 15,100 messages from 230 different IP addresses. * handled 18,312 sessions from 982 different IP addresses. * received 156,592 connections from at least 49,202 different IP addresses. * hit a highwater of 36 connections being checked at once, set on Saturday (today). Message volume is up from [[last week SpamSummary-2006-09-02]], but I'm not too surprised; this is the start of classes and thus the time when all sorts of things come out of the woodwork and need to be emailed about. The per-day breakdown: | Day | Connections | different IPs | Sunday | 20,556 | +7,236 | Monday | 24,913 | +8,452 | Tuesday | 24,521 | +7,693 | Wednesday | 25,250 | +7,693 | Thursday | 22,355 | +6,929 | Friday | 21,720 | +6,690 | Saturday | 17,277 | +4,509 I suppose I shouldn't be surprised that the whatever-it-is traffic didn't take Labour Day off. Kernel level packet filtering top ten: Host/Mask Packets Bytes 213.4.149.12 18567 965K 193.70.192.0/24 11572 522K 218.0.0.0/11 4542 221K 61.128.0.0/10 3442 173K 209.94.172.156 2723 145K 195.39.69.48 2670 160K 200.254.87.131 2669 128K 63.204.205.50 2008 120K 221.6.101.22 1972 118K 212.175.13.129 1957 117K Overall volume is both up (at the high end) and down (at the low end) from [[last week]]. * 213.4.149.12 and 212.175.13.129 both return from [[last week]], still with bad _HELO_ greetings. * 209.94.172.156 kept trying to send spam after tripping our traps. * 195.39.69.48 returns from [[August SpamSummary-2006-08-12]], blocked due to having no reverse DNS. * 200.254.87.131 and 221.6.101.22 also have no reverse DNS. * 63.204.205.50 is a _frys.com_ machine. Although I suspect that it is trying to send us a backscatter bounce, it got blocked due to the behavior exhibited [[here http://groups.google.com/group/news.admin.net-abuse.email/msg/5b847cee93c6f498]]. Connection time rejection stats: 33545 total 16606 dynamic IP 13517 bad or no reverse DNS 2131 class bl-cbl 249 class bl-njabl 185 class bl-sbl 166 class bl-dsbl 131 class bl-sdul 75 class bl-ordb 46 class bl-spews I have more or less given up peering into my crystal ball about the week to week connection time rejection stats unless something big changes. (Ironically, I missed the big change [[last week]], which was the jump in the SBL's rejection rate to just behind the CBL.) Seven of the top 30 most rejected IP addresses were rejected 100 times or more, with the champion being 200.254.87.131 (215 times), with 87.6.134.240 (210 times, an Interbusiness IP address that is also on the CBL et al). 22 of the top 30 most rejected IP addresses are currently in the CBL, 8 are currently in _bl.spamcop.net_, and 2 are currently in the SBL; both are 'Cutting Edge Media' IP addresses. Apparently those people just don't give up. Hotmail stats this week are a bit better than [[last week]], but worse on a personal level: * 2 messages accepted, both spam sent to me. * No messages rejected because they came from non-Hotmail email addresses. * 21 messages sent to our spamtraps. * 2 messages refused because their sender addresses had already hit our spamtraps. * No messages refused due to their origin IP address And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 593 | 80 | 2258 | 140 | Bad bounces | 101 | 91 | 263 | 233 Apart from the welcome reduction in these numbers, this week is pretty much the same as [[last week]]. The bad bounces did see the return of [[one SpamSummary-2006-07-08]] of the 38-character hex digit login names as a destination, which makes me obscurely happy, much like [[Ursula Vernon spotting a botfly-infected squirrel http://ursulav.livejournal.com/523907.html]].