== Weekly spam summary on November 4th, 2006 This week, we: * got 15,265 messages from 278 different IP addresses. * handled 21,071 sessions from 1,538 different IP addresses. * received 215,602 connections from at least 52,130 different IP addresses. * hit a highwater of 12 connections being checked at once. These statistics superficially look a lot like [[last week SpamSummary-2006-10-28]]'s, although up somewhat. What they hide is a significant spam storm that has actually been getting through our low-rent graylisting, more or less shown in the per day table: | Day | Connections | different IPs | Sunday | 26,390 | +6,411 | Monday | 28,908 | +7,066 | Tuesday | 26,318 | +6,641 | Wednesday | 30,790 | +7,677 | Thursday | 33,607 | +8,772 | Friday | 36,044 | +8,379 | Saturday | 33,545 | +7,184 Today especially our logs have been lighting up with this stuff. The giveaway sign is dynamic machines _HELO_ing with their actual (dynamic) name, not a forged _HELO_ greeting, and then trying to _MAIL FROM_ various random places. So far most of them have been European IPs, with some Asian and American ones to make life more exciting. Kernel level packet filtering top ten: Host/Mask Packets Bytes 213.4.149.12 26060 1355K 69.31.86.14 7864 472K 216.71.64.178 5190 311K 194.213.224.9 5015 301K 209.182.108.85 5014 231K 60.231.152.85 4794 244K 193.252.22.158 3942 237K 61.128.0.0/10 3930 199K 212.216.176.0/24 3917 194K 213.29.7.134 3890 233K This is a bunch better than [[last week]], with everyone except our usual prize winner coming in significantly lower. Also, almost all of the IPs are new ones. * 213.4.149.12 and 193.252.22.158 reappear from [[last week]]. * 69.31.86.14 is in SPEWS. * 216.71.64.178 is a host4u.net machine, and we're not interested in talking to them. * 194.213.224.9 kept trying to send us stuff that had tripped our spamtraps. * 209.182.108.85 had a bad _HELO_ greeting. * 60.231.152.85 is a bigpond.net.au cablemodem. Uh, no thanks. * 213.29.7.134 is a centrum.cz mail machine (last spotted in [[February SpamSummary-2006-02-04]]), although a neighboring machine made the list [[last week]]. This is an interestingly broad assortment of reasons for getting blocked, much less monochromatic than usual. Connection time rejection stats: 56316 total 29798 dynamic IP 21151 bad or no reverse DNS 3133 class bl-cbl 1055 class bl-sdul 261 class bl-dsbl 115 class bl-njabl 99 class bl-spews 48 class bl-ordb 37 cuttingedgemedia.com 27 class bl-sbl And here we see the explosion: this is way up from [[last week]], with major growth in several areas typical of exploited zombie machines. Four of the top 30 most rejected IP addresses were rejected 100 times or more: 124.90.223.216 (376 times, all of them today), 69.159.193.177 (181 times), 82.163.27.65 (102 times), and 82.3.189.248 (100 times). Annoyingly, one of them is a Canadian (even a Toronto) IP address. Nineteen of the top 30 most rejected IP addresses as currently in the CBL, and 10 are currently in _bl.spamcop.net_. This week's Hotmail grumps: * 8 messages accepted; one that was good, 6 that were definitely spam, and one I'm not sure about. * 1 message rejected because it came from a non-Hotmail email address. * 38 messages sent to our spamtraps. * 1 message refused because its sender addresses had already hit our spamtraps. * 6 messages refused due to their origin IP address (3 for being in the CBL, one from SAIX, one from Burkina Faso, and one from the Cote d'Ivoire). And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 1298 | 140 | 2076 | 103 | Bad bounces | 370 | 256 | 377 | 276 Things are better than [[last week]], but not hugely. The most popular bad bounce target this week was 'wilhelmi' (21 hits), but in general the pattern continued from [[last week]], and almost everything was hit only once. There seems to be a drift towards single-word usernames, away from the combination Slavic female names.