== Weekly spam summary on December 2nd, 2006

Our SMTP frontend crashed and restarted today at 2:51pm, which means
that some stats are a little bit distorted. This week, we:

* got 15,320 messages from 276 different IP addresses.
* handled 21,412 sessions from 1,467 different IP addresses.
* received 217,984 connections from at least 66,248 different IP
  addresses up until this morning at 4am, and 11,150 connections
  from at least 4,184 different IP addresses since 2:51pm.
* hit a highwater of 50 connections being checked at once by
  4am this morning (and a less impressive highwater of 9 since
  2:51pm).

Connection count is up from [[last week SpamSummary-2006-11-25]],
although nothing else really is. Removing today from the per-day
table, we have:

| Day             | Connections     | different IPs       
| Sunday          | 40,151          | +15,122             
| Monday          | 39,803          | +12,027             
| Tuesday         | 31,702          | +9,861              
| Wednesday       | 34,586          | +10,595             
| Thursday        | 42,762          | +10,402             
| Friday          | 28,980          | +8,241

This is more see-sawing than we usually see, especially on Sunday. The
highwater of 50 simultaneous connections was set on Thursday, which isn't
too surprising.

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 208.99.198.64/27      38955   2337K
 213.29.7.0/24         29146   1749K
 64.166.14.222         13032    625K
 212.11.40.130          5965    358K
 81.115.40.8            5039    269K
 212.216.176.0/24       3996    199K
 217.16.29.50           3975    239K
 66.79.27.66            3896    234K
 216.64.81.10           3454    166K
 63.138.101.139         3369    162K

* 208.99.198.64/27 is [[SBL48200
  http://www.spamhaus.org/SBL/sbl.lasso?query=SBL48200]], returning
  from [[last week]] and now earning a place in our permanent blocks.
* 213.29.7.0/24 is centrum.cz, also returning and also earning a
  permanent block.
* 64.166.14.222 also returns from [[last week]], still a PacBell DSL line.
  Evidently it really, really wants to talk to us.
* 212.11.40.130 and 81.115.40.8 are both generic 'dynamic' IPs, from
  easnet.fr and telecomitalia.it respectively.
* 217.16.29.50 aka by.ru spent too much trying to send us spam that had
  already hit our spamtraps.
* 216.64.81.10 kept trying a bad _HELO_ too much.
* 63.138.101.139 is in the CBL. I note with interest that despite
  being called 'mx03.simon-mx.com', the netblock it is in allegedly
  belongs to 'IMARKETING CONSULTANTS' (under PaeTec), allegedly
  located in Florida.

Overall volume seems down from [[last week]]; there are fewer really
active sources, discounting [[SBL48200]].

Connection time rejection stats:

   70836 total
   45848 dynamic IP
   17887 bad or no reverse DNS
    5198 class bl-cbl
     645 class bl-sdul
     250 class bl-dsbl
      90 class bl-sbl
      61 class bl-njabl
      58 class bl-spews
      22 class bl-ordb

As I sometime like to say, yow! This may be the highest rejection
count we've ever had, and it certainly seems like a significant
spam storm hit us this week. The most active sources of dynamic
IPs are:

    3064 rr.com
    2336 proxad.net
    1817 retail.telecomitalia.it
    1623 comcast.net
    1553 ono.com
    1423 dynamicip.rima-tde.net
    1383 user.auna.net
    1312 verizon
    1209 wanadoo.fr
    1118 charter.com

Only two of the top 30 most rejected IP addresses were rejected 100
times or more: 200.72.136.178 (135 times, rejected for being a LACNIC
IP address with no reverse DNS) and our friend 63.138.101.138 (130
times). 21 of the top 30 are currently in the CBL and 9 are currently in
_bl.spamcop.net_.

This week, Hotmail managed:

* 1 message accepted.
* 1 message rejected because it came from a non-Hotmail email
  address (in this case an address at 'alliedpersonelsvcinc.co.uk').
* 28 messages sent to our spamtraps.
* 2 messages refused because their sender addresses had already hit
  our spamtraps.
* 1 messages refused due to its origin IP address being in the Cote
  d'Ivoire.

This is better than [[last week]], but that's still not saying very
much.

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 1059 | 155 | 2148 | 161
| Bad bounces | 109 | 101 | 412 | 319

The clear winner in the bad _HELO_ sweepstakes is 210.171.112.2,
with 136 attempts before it got blocked. No one won the bad bounces
sweepstakes; as you can guess from the numbers, only a very few places
even sent us more than one.

This week the first_last login name pattern bounces went away almost
completely. What's left is primarily plausible usernames (generally
not ones that were ever valid here), leavened with a few alphanumeric
jumbles.