== Weekly spam summary on October 28th, 2006 This week, we: * got 14,982 messages from 288 different IP addresses. * handled 21,920 sessions from 1,294 different IP addresses. * received 193,231 connections from at least 46,305 different IP addresses. * hit a highwater of 11 connections being checked at once. This is pretty much the same as [[last week SpamSummary-2006-10-21]]. On a global scale it is up from what I consider an acceptably quiet level, but [[looking back a year SpamSummary-2005-10-29]] it seems to be about the same as this time last year. (It's a peculiar feeling to be reminded that I've been doing these weekly spam summaries for well over a year now.) | Day | Connections | different IPs | Sunday | 28,770 | +7,102 | Monday | 28,790 | +7,501 | Tuesday | 28,965 | +7,305 | Wednesday | 26,112 | +6,170 | Thursday | 30,102 | +7,019 | Friday | 29,286 | +6,201 | Saturday | 21,206 | +5,007 The per day table is relatively straightforward, although there is a dip on Wednesday. As usual, I have no explanation for any of this. Kernel level packet filtering top ten: Host/Mask Packets Bytes 213.4.149.12 25115 1306K 128.121.122.36 24818 1224K 217.64.193.21 22088 1325K 65.164.104.5 11936 716K 72.244.103.210 7878 369K 213.29.7.133 6171 370K 195.128.174.109 5313 262K 212.184.12.130 5070 243K 61.128.0.0/10 4683 249K 193.252.22.158 4194 252K On the kernel blocks front, things are significantly more active than they were [[last week]], although our leader keeps slowly declining. * 213.4.149.12, 72.244.103.210, and 212.184.12.130 all return from [[last week]], and for the same reasons (although looking back, I got a bit of my identification of 212.184.12.130 wrong; 212/8 is a RIPE netblock, not an APNIC one). * 128.121.122.36 is affiliatecrew.com, which kept trying to hammer on us with mail that had already hit our spamtraps. Given their domain name, I am pretty sure that I don't want to talk to them anyways. * 217.64.193.21 is an Italian IP address with no reverse DNS. * 65.164.104.5 was blocked for blasting our postmaster alias with backscatter from viruses. * 213.29.7.133 is a centrum.cz mail machine; we've gotten too much advance fee fraud spam from them to accept any more. * 195.128.174.109 tried to keep sending us stuff that had already hit our spamtraps. * 193.252.22.158 is a wanadoo.co.uk mail machine (and we've seen it before, most recently [[at the start of October SpamSummary-2006-10-07]]); at the time that we blocked it, it was in SPEWS (and we're not interested in talking to Wanadoo properties anyways). It's also rare for the top-10 kernel blocks to be so dominated by single IP addresses; even [[last week]] had three netblocks. This week we're down to just a Chinese /10, and it's only in ninth place. Connection time rejection stats: 34922 total 17172 dynamic IP 14149 bad or no reverse DNS 2316 class bl-cbl 298 class bl-dsbl 256 class bl-sdul 211 class bl-njabl 56 class bl-spews 44 class bl-ordb 41 class bl-sbl 19 cuttingedgemedia.com Three out of the top 30 most rejected IP addresses were rejected 100 times or more; 203.177.186.10 (188 times), 61.53.153.69 (167 times), and 61.53.153.71 (105 times), all of which are APNIC addresses refused for having bad or missing reverse DNS. 19 of the 30 most rejected IP addresses are currently in the CBL and 9 are currently in _bl.spamcop.net_. This week's Hotmail numbers: * 1 message accepted; it was legitimate email. * 1 message rejected because it came from a non-Hotmail email address (it was a msn.com address). * 26 messages sent to our spamtraps. * 1 message refused because its sender addresses had already hit our spamtraps. * 1 message refused due to its origin IP address being a SAIX one. And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 2076 | 103 | 335 | 52 | Bad bounces | 377 | 276 | 255 | 169 With the numbers that big, I was expecting to find a single point source of bad _HELO_s; unfortunately there isn't one. The leader is 208.223.173.169 (213 times), but then there is 70.234.28.17 (96 times), 216.27.82.198 (78 times), 68.15.237.4 (72 times), and so on. The most eye-opening bad bounce source was securityfocus.com, at 22 attempts to check a '_IEFPLMD_'. I suspect that this is sender verification instead of actual bounces. However, this was not the most popular bounce destination; that goes to '_milw_' (22 times). To my pleasure, _3E4B_ reappeared (although there is still no sign of the 38 character hex strings). Otherwise, the bounces went to the usual suspects, primarily Slavic female names.