This week, we:

• got 16,689 messages from 271 different IP addresses.
• handled 21,893 sessions from 1,229 different IP addresses.
• received 207,766 connections from at least 62,254 different IP addresses.
• hit a highwater of 8 connections being checked at once.

This is about the same volume as last week, although the number of different IP addresses connecting to us is unusually large.

Day	Connections	different IPs
Sunday	36,194	+11,759
Monday	31,707	+9,762
Tuesday	39,486	+11,117
Wednesday	30,112	+9,187
Thursday	25,760	+7,261
Friday	26,366	+6,996
Saturday	18,141	+6,172

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
208.99.198.64/27      29607   1776K
213.29.7.0/24         16473    988K
213.4.149.12           8042    418K
60.231.152.85          6112    311K
69.178.167.2           5894    283K
66.199.252.234         4744    285K
193.252.22.158         4657    279K
195.225.106.170        3907    234K
72.164.45.65           2696    129K
63.138.101.136         2566    123K

• 208.99.198.64/27 is totallyfreeld.net, aka SBL48200, still not terminated by their upstream and still active, returning from two weeks ago.
• 213.29.7.0/24 is the centrum.cz mail servers, returning from last week and still justifying their permanent block.
• 213.4.149.12 and 193.252.22.158 return from last week.
• 60.231.152.85 is a bigpond.net.au cablemodem, and returns from October.
• 69.178.167.2 and 72.164.45.65 tried to send a lot of bad HELOs.
• 66.199.252.234 and 195.225.106.170 tried to keep sending us stuff from origin addresses that had already tripped our spamtraps.
• 63.138.101.136 is in the CBL.

Overall, this week is quieter than last week.

Connection time rejection stats:

  48974 total
  30101 dynamic IP
  13820 bad or no reverse DNS
   3483 class bl-cbl
    271 class bl-sdul
    195 class bl-dsbl
    147 class bl-njabl
     82 class bl-spews
     74 cuttingedgemedia.com
     30 class bl-sbl
     23 class bl-ordb

There was only one IP address out of the top 30 most rejected IP addresses that was rejected 100 times or more, but that was our old friend 64.166.14.222 (631 times). Twelve of the top 30 are current in the CBL, eight are currently in bl.spamcop.net, and one is in the SBL: 213.154.88.54, apparently an ADSL line in Dakar, is in SBL21134 and SBL43951. You win no prizes for guessing that both listings are for being an advance fee fraud spam source.

(Ironically it accounted for none of the SBL hits this week, because it was blocked for having no reverse DNS, and that's checked before the SBL. The lead SBL hit source is 72.5.205.109 at 13 times, in SBL45324 as part of a ROKSO listing for 'Brian Kramer' aka 'Expedite Media Group'.)

This week, Hotmail had:

• 3 messages accepted; I suspect that at least two of them were spam.
• no messages rejected because they came from non-Hotmail email addresses.
• 25 messages sent to our spamtraps.
• 4 messages refused because their sender addresses had already hit our spamtraps.
• 3 messages refused due to their origin IP address being in the CBL.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1017	109	785	146
Bad bounces	80	64	109	95

This week there are no bad bounces to 'first_lastname' login names. They've been entirely supplanted by a random parade of alphabetical jumbles, the most popular of which was 'sxdijkhocqn' (5 times), leaved with a few things that are somewhat more plausible usernames, and a couple of old login names that no longer exist.