== Weekly spam summary on February 24th, 2007

This week, we:

* got 15,188 messages from 253 different IP addresses.
* handled 21,573 sessions from 1,281 different IP addresses.
* received 238,853 connections from at least 71,848 different IP
  addresses.
* hit a highwater of 10 connections being checked at once.

Connection and session volume is down a bit from [[last week
SpamSummary-2007-02-17]]. Day to day volume fluctuated up and
down through the week:

| Day             | Connections     | different IPs       
| Sunday          | 29,706          | +11,012             
| Monday          | 40,386          | +12,084             
| Tuesday         | 41,718          | +12,719             
| Wednesday       | 34,748          | +10,352             
| Thursday        | 36,413          | +9,568              
| Friday          | 32,318          | +9,189              
| Saturday        | 23,564          | +6,924

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 205.152.59.0/24       27609   1252K
 207.145.125.204       25029   1272K
 206.223.168.238       15375    843K
 213.29.7.0/24          8533    512K
 211.136.0.0/14         7240    386K
 67.95.56.42            6865    319K
 203.89.173.58          6836    301K
 204.202.15.102         6800    336K
 81.201.105.157         5045    242K
 204.202.23.184         4987    246K

This is up substantially from [[last week]]. The big news this week
is that I blocked 205.152.59.0/24 very early on in the week; this is
Bellsouth's outgoing mail servers. We no longer accept email from
Bellsouth because they have gotten into the free webmail business, and
as a result are now active participants in the advance fee fraud spam
business. (Many US ISPs have apparently gone this direction, for reasons
I don't understand.)

* 207.145.125.204, 67.95.56.42, 204.202.15.102, and 204.202.23.184 all
  kept trying to send email with an origin address that had already
  tripped our spamtraps, mostly for what looks like phish spam (certain
  sorts of origin addresses are dead giveaways).
* 206.223.168.238 is in the CBL.
* 203.89.173.58 kept trying with a bad _HELO_.
* 81.201.105.157 is in the [[NJABL http://www.njabl.org/]].

All that makes this a highly atypical week; for example, we don't
have a single top-10 IP address that we've seen before. In the good
news front, 208.99.198.64/27 continued not sending us so much as a
single connection attempt over the week, and have thus dropped off
my radar for future reports.

Connection time rejection stats:

   69674 total
   43536 dynamic IP
   17981 bad or no reverse DNS
    6394 class bl-cbl
     295 class bl-njabl
     250 class bl-sdul
     220 class bl-pbl
     159 acceleratebiz.com
     147 class bl-sbl
     144 class bl-dsbl
      33 inetekk.com
      15 cuttingedgemedia.com

Overall volume is about the same as [[last week]]. The SBL breakdown
is slightly interesting:

| 59 | [[SBL51080|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL51080]]
	| phish spam source
| 17 | [[SBL49074|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL49074]]
	| hijacked server that's spamming (13 Dec 2006)
| 11 | [[SBL49046|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL49046]]
	| advance fee fraud spam source (13 Dec 2006)
| 10 | [[SBL50375|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL50375]]
	| a /25 ROKSO listing for Eric Reinertsen (29 Jan 2007)
| 10 | [[SBL49248|http://www.spamhaus.org/SBL/sbl.lasso?query=SBL49248]]
	| saigonnet.vn webmail, listed as an advance fee fraud spam
	  source (18 Dec 2006)

Of these, [[SBL49046]] and [[SBL50375]] appeared in my summary [[last
week]], at about the same volume.

Three of the top 30 most rejected IP addresses were rejected 100
times or more this week: 193.4.194.142 (216 times, bad reverse DNS),
64.166.14.222 (168 times, dynamic IP), and 81.201.105.157 (153
times, on the [[NJABL]]). Eight of the top 30 are currently in the
CBL, eight are currently in _bl.spamcop.net_, 10 are in the [[PBL
http://www.spamhaus.org/pbl/]], a grand total of 17 are in the combined
[[zen.spamhaus.org http://www.spamhaus.org/zen/]] zone, and one is in
the SBL: 69.15.58.106, [[SBL51080]].

This week Hotmail managed:

* 4 messages accepted, two of them probably legitimate.
* no messages rejected because they came from non-Hotmail email
  addresses.
* 57 messages sent to our spamtraps.
* 10 messages refused because their sender addresses had already hit
  our spamtraps.
* 5 messages refused due to their origin IP address (3 from the Cote
  d'Ivoire, one from Nigeria, and one in the CBL).

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 877 | 101 | 979 | 155
| Bad bounces | 16 | 12 | 9 | 8

The winner of the bad _HELO_ contest this week was 72.165.125.122,
with 125 rejections until it got blocked; the next highest source
only managed 61. It's sad to see the bad bounce numbers start rising
again, but they're still low, and this week they seem to have come
from all over, including a darpa.mil machine and something in the
Arab Emirates that has been forging its _HELO_ name and so won't be
talking to us any more.

Bad bounces were sent to 13 different usernames this week, mostly to
real ex-users and plausible usernames. There was one alphabetical
jumble, and _E07_ and _3E4B_ also put in appearances. The most popular
bad bounce targets (admittedly at 3 and 2 hits respectively) were both
ex-users.