This week, we:

• got 15,129 messages from 287 different IP addresses.
• handled 21,714 sessions from 1,659 different IP addresses.
• received 193,764 connections from at least 45,843 different IP addresses.
• hit a highwater of 35 connections being checked at once.

Connection volume is down from last week. The highwater is much higher and was set sometime Thursday; before then we had the same highwater as last week.

Day	Connections	different IPs
Sunday	22,042	+5,058
Monday	26,755	+7,229
Tuesday	25,419	+6,811
Wednesday	29,058	+7,241
Thursday	32,172	+6,803
Friday	31,499	+6,677
Saturday	26,819	+6,024

This shows a Thursday peak as well, ramping up on Wednesday and sliding down on Friday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
72.244.103.210        14789    692K
69.31.86.14           11047    663K
203.158.55.63          8565    436K
64.166.14.222          6958    334K
193.252.22.158         5086    305K
212.216.176.0/24       4894    241K
213.1.255.134          4866    234K
210.108.75.241         4186    201K
64.32.177.103          3525    165K
213.4.149.12           3364    175K

It's a miracle: 213.4.149.12 has dropped from consistent first place all the way down to barely ranking this week. Overall it's a bit worse than last week; the high end is worse and the low end is not much better.

• 72.244.103.210 returns from two weeks ago, and is still a Covad something-or-other.
• 69.31.86.14, 193.252.22.158, and 213.4.149.12 all return from last week.
• 203.158.55.63 is an iinet.net.au customer machine in the CBL.
• 64.166.14.222 is a Pacbell DSL line, returning from September.
• 213.1.255.134 and 64.32.177.103 kept dumping bad HELOs on us.
• 210.108.75.241 is a Korean IP address with no reverse DNS.

Just over half of this week's top ten are returning IPs that we've seen before. I tend to find this depressing.

Connection time rejection stats:

  43509 total
  23493 dynamic IP
  16892 bad or no reverse DNS
   1744 class bl-cbl
    221 class bl-sdul
    194 class bl-njabl
    189 class bl-dsbl
     59 class bl-spews
     46 class bl-sbl
     40 class bl-ordb
     35 cuttingedgemedia.com

Two of the top 30 most rejected IP addresses were rejected 100 times or more; 64.166.14.222 (567 times), and an internal UofT client machine that has apparently been misconfigured to try to use us as its server. Fifteen of the top 30 are currently in the CBL and five are currently in bl.spamcop.net.

This week's gifts from Hotmail:

• 2 messages accepted.
• 3 messages rejected because they came from non-Hotmail email addresses.
• 38 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 1 messages refused due to its origin IP address being in SBL38620 (listed March 4th 2006, and it's apparently an Internet cafe in Nigeria with a satellite Internet connection).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1780	151	1298	140
Bad bounces	482	416	370	256

I don't like the upward trend compared to last week, but there's nothing I can do about it.

This week's bad bounce targets are all over the map. Almost nothing got hit more than once ('olsak' is the leader, at 4 times, followed by 'noreply' and a couple of old usernames here at 3 times), and the popularity of Slavic women's first_lastname usernames continues its slide. Apart from that there are words like worm and zodiac, old usernames, vaguely plausible usernames like semerad, a certain amount of capitalized names like Kardel, one XXoX, a lot of random jumbles like zywcfnhiqtji, and the return of a few Linux ALSA function names.

(I have no idea why 'snd_pcm_hw_params_get_buffer_size' is so absurdly popular with spammers as the origin of their forged spam, but it is and has been for years.)