== Weekly spam summary on October 7th, 2006 This week, we: * got 15,275 messages from 261 different IP addresses. * handled 21,183 sessions from 1,301 different IP addresses. * received 172,030 connections from at least 42,834 different IP addresses. * hit a highwater of 18 connections being checked at once. Volume is up somewhat from [[last week SpamSummary-2006-09-30]], but not hugely. The per day volume level fluctuates significantly: | Day | Connections | different IPs | Sunday | 21,990 | +6,449 | Monday | 22,389 | +5,870 | Tuesday | 29,916 | +7,132 | Wednesday | 28,204 | +6,269 | Thursday | 25,631 | +5,934 | Friday | 23,374 | +5,615 | Saturday | 20,526 | +5,565 Kernel level packet filtering top ten: Host/Mask Packets Bytes 213.4.149.12 58339 3034K 82.236.238.29 7377 375K 218.0.0.0/11 6280 304K 193.252.22.158 5769 346K 200.30.74.150 4989 282K 203.57.78.9 4762 242K 194.105.193.50 3663 181K 200.195.95.185 3200 176K 61.128.0.0/10 3154 176K 80.51.32.242 2901 174K The overall numbers are up somewhat from [[last week]]. * 213.4.149.12, 193.252.22.158, and 80.51.32.242 return from [[last week]], with terra.es continuing to totally, totally own first place. * 82.236.238.29 is a proxad.net dialup. * 203.57.78.9 is listed in [[NJABL http://www.njabl.org/]]; it appears to be yet another webmail advance fee fraud spam source. * 194.105.193.50 is a leivo.ru machine, and we've decided not to talk to them any more because they're a source of annoying backscatter. * 200.195.95.185 is currently in the CBL. Connection time rejection stats: 35477 total 17818 dynamic IP 14475 bad or no reverse DNS 1712 class bl-cbl 262 class bl-dsbl 217 class bl-sdul 205 class bl-njabl 80 class bl-spews 47 class bl-ordb 39 class bl-sbl This week marks the first week that Cutting Edge Media has left us alone. If it keeps up, I may hold a modest celebration. One out of the top 30 most rejected IP addresses was rejected more than 100 times: 71.79.5.224, a RoadRunner cablemodem, at 184 times (it is also in the CBL). 23 of the top 30 most rejected IP addresses are currently in the CBL and 6 are currently in _bl.spamcop.net_. Because I can, I'll do a table of the top SBL rejections: | 14 | [[SBL29986|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL29986]] | RTComm.RU /15 escalation listing | 8 | [[SBL41338|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL41338]] | Advance fee fraud spam source | 7 | [[SBL47129|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL47129]] | Phish spam source | 3 | [[SBL30022|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL30022]] | RTComm.RU /16 escalation listing I'd say I'm detecting a trend here, but it's not anything new, so I'm more confirming it. This week, Hotmail brought to us: * 4 messages accepted, at least two of which were spam (again coming from what is probably a tm.net.my ADSL line; I guess I'll add them to the banned sources list). * no messages rejected because they came from non-Hotmail email addresses. * 27 messages sent to our spamtraps. * no messages refused because their sender addresses had already hit our spamtraps. * 2 messages refused due to their origin IP address (one for being in [[SBL33810 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL33810]] and the other for being from the Cote d'Ivoire). I can't say I'm very happy about the continued spam from the Hotmail plus tm.net.my combination (they did it [[last week]] too). But then I'm usually not very happy with Hotmail in general. And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 1532 | 118 | 718 | 66 | Bad bounces | 358 | 317 | 127 | 88 Colour me displeased with the increase. No particular source of bad _HELO_s stands out; there were just more of them (although the average number of bad _HELO_s per IP address went up). On the bad bounces, [[last week]]'s pattern pretty much repeats, mixed in with the random alphanumeric usernames from earlier weeks. This time I looked at the sources of the bounces; it seems that most of the Russian female name bounces are coming from the Eastern Europe area. There was one bounce to _3E4B_.