== Weekly spam summary on October 14, 2006

This week, we:

* got 13,890 messages from 262 different IP addresses.
* handled 18,923 sessions from 1,185 different IP addresses.
* received 187,506 connections from at least 50,091 different IP
  addresses.
* hit a highwater of 22 connections being checked at once.

Connection volume is up again from [[last week SpamSummary-2006-10-07]],
but everything else is down. Things fluctuated over the week:

| Day             | Connections     | different IPs       
| Sunday          | 24,385          | +6,671              
| Monday          | 31,929          | +8,310              
| Tuesday         | 32,554          | +9,304              
| Wednesday       | 27,740          | +8,344              
| Thursday        | 22,182          | +5,557              
| Friday          | 26,631          | +6,431              
| Saturday        | 22,085          | +5,474

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 213.4.149.12          62524   3251K
 193.70.192.0/24        6103    275K
 219.128.0.0/12         4367    213K
 61.128.0.0/10          4270    230K
 72.244.103.210         3993    187K
 207.218.78.123         3562    178K
 212.51.32.187          2965    130K
 212.216.176.0/24       2841    144K
 84.160.0.0/11          2813    139K
 199.34.64.220          2478    149K

The overall numbers are down from [[last week]], especially for
single IP addresses.

* 213.4.149.12 returns from [[last week]].
* 72.244.103.210 returns from [[August SpamSummary-2006-08-19]], still
  a covad.net 'dialup'.
* 207.218.78.123 is on the NJABL.
* 212.51.32.187 is a mundo-r.com outgoing SMTP gateway; they tried to
  send us a bunch of advance fee fraud spam this week.
* 199.34.64.220 tried to send us a bunch of phish spam that had already
  hit our spamtraps.

Connection time rejection stats:

   42288 total
   19382 dynamic IP
   19198 bad or no reverse DNS
    2078 class bl-cbl
     396 class bl-dsbl
     255 class bl-sdul
     135 class bl-njabl
     117 class bl-spews
     110 cuttingedgemedia.com
      37 class bl-sbl
      19 class bl-ordb

Three out of the top 30 most rejected IP addresses were rejected 100
times or more, with the leader being 124.120.103.16 (136 times).
23 of the top 30 are currently in the CBL, 10 are currently in
_bl.spamcop.net_, and one, 208.32.133.155, is part of [[SBL45150
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL45150]], the Cutting Edge
Media SBL listing.

So much for them going away, evidently.

This week, Hotmail gave to us:

* no messages accepted.
* no messages rejected because they came from non-Hotmail email
  addresses.
* 27 messages sent to our spamtraps.
* 7 messages refused because their sender addresses had already hit
  our spamtraps.
* no messages refused due to their origin IP address

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 640 | 68 | 1532 | 118
| Bad bounces | 172 | 140 | 358 | 317

The champion source of bad _HELO_ names is 216.229.190.42 (126
times), followed by 69.27.248.94 (75 times). Many of the bad
bounces continue to come from Eastern Europe, and the pattern
of bad usernames being mostly Slavic female names continues.
We did have one bounce to _3E4B_, from the same IP address as
last week's (83.110.221.99).