== Weekly spam summary on September 16th, 2006 The SMTP frontend keeled over and was restarted around 6am on Tuesday morning, so some of the statistics are from then. Given that, this week we: * got 15,257 messages from 210 different IP addresses. * handled 17,165 sessions from 837 different IP addresses. * received 101,830 connections from at least 26,869 different IP addresses since Tuesday at 6am. * hit a highwater of 7 connections being checked at once since Tuesday at 6am. It looks like the total connection count for this week is about 140,000 or so, which would make the total volume slightly down from [[last week SpamSummary-2006-09-09]]. The per day stats don't make for a useful table, but look about flat. Kernel level packet filtering top ten: Host/Mask Packets Bytes 213.4.149.12 45463 2364K 82.195.157.47 10886 653K 209.172.38.189 6575 395K 82.58.96.64 5616 337K 195.34.34.232 5221 261K 218.0.0.0/11 4451 217K 61.128.0.0/10 3223 163K 193.70.192.0/24 2664 120K 216.138.229.192 2385 124K 207.245.12.2 2262 109K Apart from the one major outlier, the volume here is pretty similar to [[last week]]. * 213.4.149.12, mailhost.terra.es, _HELO_'ing as the nonexistent and nonsensical hostname 'ctsmtpout1.frontal.correo', reappears from [[last week]] in a huge way. It has now earned a place in our permanent blocks. * 82.195.157.47 and 207.245.12.2 also got blocked for repeated bad _HELO_ greetings. * 209.172.38.189 was blocked because it kept trying to send us stuff that had hit our spamtraps, in particular email with a _MAIL FROM_ pointing to the domain 'opinionplus.ca'. * 82.58.96.64 was blocked for being in the CBL, but an inspection of its hostname shows that it's a dynamic telecomitalia.it address (and is listed in _dialups.visi.com_, a DNSbl I may need to consider using). * 195.34.34.232 and 216.138.229.192 were also blocked for hitting spamtraps and keeping on sending. The presence of 195.34.34.232 is especially impressive because it only started hitting us yesterday (Friday). Connection time rejection stats: 27768 total 13469 dynamic IP 11422 bad or no reverse DNS 1403 class bl-cbl 395 class bl-dsbl 221 class bl-sdul 192 class bl-njabl 146 class bl-sbl 145 class bl-ordb 34 class bl-spews Five out of the top 30 most rejected IP addresses were rejected 100 times or more, with this week's champion being 64.166.14.222 (417 times, rejected for being a PacBell ADSL line). 19 of the top 30 are currently in the CBL, 8 are currently in _bl.spamcop.net_, and one, our friend 208.32.133.156 from Cutting Edge Media, is in [[SBL45150 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL45150]]. This ongoing persistence from Cutting Edge Media has now earned them a permanent personal block. (I'm tempted to make it a kernel level block, but I'm refraining for now.) The Hotmail stats got worse from [[last week]]: * 4 messages accepted, at least one of which was legitimate. * 2 messages rejected because they came from non-Hotmail email addresses, both times from msn.com users. * 40 messages sent to our spamtraps. * 2 messages refused because their sender addresses had already hit our spamtraps. * 1 messages refused due to its origin IP address being in [[SBL27471 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL27471]]. I remain unimpressed with Hotmail, not that this is exactly news. And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 264 | 42 | 593 | 80 | Bad bounces | 57 | 51 | 101 | 91 My biggest reaction is that this is a pleasant decline from [[last week]], although I'm not going to hold my breath for the trend to continue. Bounces to 38-character hex string login names have gone back into hiding, to my vague regret; one treasures even one's head-scratching peculiar spam mysteries.