== Weekly spam summary on September 30th, 2006 This week, we: * got 15,751 messages from 307 different IP addresses. * handled 19,911 sessions from 1,047 different IP addresses. * received 154,477 connections from at least 38,870 different IP addresses. * hit a highwater of 9 connections being checked at once. This is all about the same level as [[last week SpamSummary-2006-09-23]], or at most down a little bit. Oddly, we show a bit of a volume jump towards the end of the week: | Day | Connections | different IPs | Sunday | 18,432 | +4,543 | Monday | 23,737 | +5,895 | Tuesday | 21,888 | +5,077 | Wednesday | 21,793 | +5,414 | Thursday | 24,042 | +6,914 | Friday | 25,216 | +6,556 | Saturday | 19,369 | +4,471 Kernel level packet filtering top ten: Host/Mask Packets Bytes 213.4.149.12 56881 2958K 212.130.19.148 6818 347K 193.252.22.158 4744 285K 195.130.132.54 3380 203K 213.129.201.64 3189 153K 86.7.241.201 3188 153K 80.51.32.242 3132 188K 194.165.146.156 2988 143K 218.0.0.0/11 2897 141K 213.180.130.35 2742 165K Apart from first place, this is about the same sort of volume as [[last week]]. * 213.4.149.12 continues its stranglehold on first place from [[last week]]. * 212.130.19.148, 193.252.22.158, and 80.51.32.242 also return from [[last week]]. * 195.130.132.54 did the now-usual thing of trying to keep sending us stuff that had already hit our spamtraps. * 213.129.201.64 reappears from [[August SpamSummary-2006-08-05]], still with a bad _HELO_ greeting. * 86.7.241.201 is an NTL cablemodem. * 194.165.146.156 is a 'Wanadoo Jordan' IP address with no reverse DNS (and also is in relays.ordb.org). * 213.180.130.35 is a poczta.onet.pl machine, and we don't talk to them. Connection time rejection stats: 34465 total 17779 dynamic IP 13422 bad or no reverse DNS 1868 class bl-cbl 403 class bl-dsbl 215 class bl-sdul 153 class bl-njabl 130 class bl-spews 45 class bl-ordb 23 cuttingedgemedia.com 16 class bl-sbl Twelve out of the top 30 most rejected IP addresses were rejected 100 times or more, with the champion being 72.66.49.214 (196 times, for being a Verizon dynamic IP). 18 of the top 30 are currently in the CBL, and 9 are currently in _bl.spamcop.net_; this week, none are in the SBL. This week's Hotmail stats are reasonably good: * 9 messages accepted. * no messages rejected because they came from non-Hotmail email addresses. * 28 messages sent to our spamtraps. * no messages refused because their sender addresses had already hit our spamtraps. * no messages refused due to their origin IP address. Seven of the accepted messages were legitimate, but the remaining two were advance fee fraud spam (sent from 219.95.240.138, a Malaysian IP address that's probably a tm.net.my ADSL line). (The high number of actual messages is due to the usual cause: a student-facing system had a glitch and students promptly mailed in to tell people about it.) And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 718 | 66 | 495 | 60 | Bad bounces | 127 | 88 | 60 | 52 I'm not really happy to see these numbers climbing, but at least they're not really bad; it's still in at the drip drip level, instead of a flood. There are no particularly big spike sources of either, although the largest single source of bounces appears to have been a spammer trying a new trick to get their messages through. The bounces were all over, including bounces to _E7D6_ and _3E4B_ like [[last week]], but the majority were to made-up usernames of the form [[_|]], where the first and last names looked like randomly chosen female-sounding Russian names; a representative example is '[[violetta_mironova|]]'.