Our SMTP frontend crashed a lot this week, so the connection volume number is a lot more approximated than usual. Having said that, this week we:

• got 14,060 messages from 292 different IP addresses.
• handled 21,260 sessions from 1,496 different IP addresses.
• received over 183,239 connections; I'm not going to try to guess at the minimum number of different IP addresses.
• probably hit a highwater of 6 connections being checked at once.

It seems likely that volume was around that of last week or maybe a bit lower, but it's very hard to tell.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          21316   1101K
213.29.7.0/24         18080   1081K
193.70.192.0/24       12078    544K
216.100.202.21         4945    231K
67.118.208.202         4683    225K
208.42.51.45           4208    202K
66.46.180.235          4149    248K
72.156.25.114          4058    195K
217.128.32.217         3513    169K
170.180.10.152         3360    161K

• 213.4.149.12 returns from last week and many previous appearances.
• 216.100.202.21 was on the NJABL when we blocked it, but no longer is.
• 67.118.208.202 is a Pacbell DSL line in the SORBS DUL list.
• 208.42.51.45 and 170.180.10.152 kept trying bad HELOs.
• 66.46.180.235 kept trying to send us stuff that had already tripped our spamtraps.
• 72.156.25.114 and 217.128.32.217 are both things that we consider dialups.

The overall volume is clearly up from last week, although only one IP address is one that's made the lists before. (And that one is terra.es's mail server, which we haven't wanted to talk to for ages.)

Connection time rejection stats:

  48728 total
  32588 dynamic IP
  12796 bad or no reverse DNS
   2058 class bl-cbl
    206 class bl-sdul
    143 class bl-dsbl
     98 class bl-pbl
     58 class bl-njabl
     50 class bl-sbl

As you can see, we've added the Spamhaus PBL to our list of blocklists. It hasn't hit much because it comes after the CBL and our extensive hand-maintained list of dialups and other dynamic IPs.

Only one out of the top 30 most rejected IPs was rejected 100 times or more this week; 217.128.32.217, a wanadoo.fr dialup, was rejected 422 times. 13 of the top 30 are currently in the CBL, and 5 are currently in bl.spamcop.net.

Half of our SBL rejections came from 200.170.174.135 (25 rejections, SBL50181), a compromised web server being abused to send advance fee fraud spam for some time. After that is 65.99.209.155 (7 rejections, SBL50211), labeled as an opt-out spammer, and 66.158.163.165 (4 rejections, SBL49046), more advance fee fraud spamming.

This week Hotmail brought us:

• no messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 30 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one from saix.net, one from Burkina Faso).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1578	101	566	98
Bad bounces	455	345	151	126

I can't say that this looks good compared to last week. There is a clear winner of the bad HELO sweepstakes; 193.99.175.1 tried 494 times. Fortunately, that's the only really active bad HELO source, and everyone else was down in what I consider acceptable territory with only double-digit rejections.

Germany remained a major source of our bad rejections, sprinkled with Italy, Japan, Australia, and other places around the globe. 'noreply' was the most popular single username to try to send bounces to, but the most popular thing in general was random alphabetical usernames like 'shxonbnjy'. Bad bounces were sent to 425 different bad usernames this week.