== Weekly spam summary on April 21st, 2007

This week, we:

* got 12,325 messages from 286 different IP addresses.
* handled 19,040 sessions from 1,240 different IP addresses.
* received 170,841 connections from at least 51,674 different IP
  addresses.
* hit a highwater of 17 connections being checked at once.

This is slightly up from [[last week SpamSummary-2007-04-14]],
which just means it's within normal fluctuations. The per day
table is flatter this time around:

| Day             | Connections     | different IPs       
| Sunday          | 25,199          | +8,285              
| Monday          | 28,318          | +7,887              
| Tuesday         | 28,035          | +8,508              
| Wednesday       | 26,202          | +8,425              
| Thursday        | 24,601          | +7,856              
| Friday          | 22,180          | +5,824              
| Saturday        | 16,306          | +4,889              

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 68.168.78.0/24        34173   1640K adelphia.net
 68.230.240.0/23       27081   1315K cox.net
 205.152.59.0/24       12790    580K bellsouth.net
 209.60.190.123        11106    519K
 206.123.109.0/27      10994    603K
 213.29.7.0/24         10704    642K centrum.cz
 213.4.149.12           6001    312K
 204.202.11.243         5451    269K
 24.216.176.82          4535    218K
 206.123.109.8          4315    237K

Volume is slightly up on [[last week]], which is vaguely depressing.
The 206.123.109.0/27 netblock deserves special mention; it is another
tendril of the otcpicknews.com (aka otcpicks.com and many others)
group, previously found slamming us from 72.249.13.64/26 [[last week]].
Evidently adding them to the kernel level blocks was a good idea.

* 209.60.190.123 and 213.4.149.12 return from [[last week]].
* 204.202.11.243 kept trying to send us phish spam that had already
  tripped over our spamtraps.
* 24.216.176.82 is a charter.com cablemodem or other dynamic IP address.
* 206.123.109.8 ias part of 206.123.109.0/27, but we blocked it first
  so it gets a separate entry.

Connection time rejection stats:

   48381 total
   25951 dynamic IP
   16153 bad or no reverse DNS
    4951 class bl-cbl
     215 acceleratebiz.com
     191 class bl-dsbl
     133 qsnews.net
     116 class bl-pbl
      85 class bl-sbl
      77 class bl-njabl
      62 class bl-sdul
      23 cuttingedgemedia.com

The highest SBL source this week is [[SBL48694
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL48694]] with 13 hits,
which is a known spam sending source that was listed at the end of
March.

Seven of the top 30 most rejected IP addresses were rejected 100 times
or more this week; the champion is 190.51.4.122 (1107 rejections,
a speedy.com.ar IP address without good reverse DNS), followed
closely by 76.187.221.186 (971 rejections, a rr.com cablemodem)
and 86.135.179.47 (836 rejections, a btcentralplus.com dynamic
machine of some description). Ten of the top 30 are currently
in the CBL, one is in the SBL (213.154.87.161, in [[SBL21133
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL21133]], listed ~~April
18th 2005~~ for emitting way too much advance fee fraud spam), three are
currently in _bl.spamcop.net_, twelve are in the PBL, and a grand total
of 17 of the top 30 are in _zen.spamhaus.org_.

(Locally, 13 were rejected as 'dynamic IP', 11 were rejected for having
bad or missing reverse DNS, 4 were rejected for being various places we
don't talk to any more on account of spam, and two are on the DSBL.)

This week Hotmail had:

* no messages accepted.
* 2 messages rejected because they came from non-Hotmail email
  addresses.
* 36 messages sent to our spamtraps.
* 3 messages refused because their sender addresses had already hit
  our spamtraps.
* 3 messages refused due to their origin IP address (one in the CBL,
  one in [[SBL33955 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL33955]],
  an advance fee fraud spam source listing from October 24th ~~2005~~
  (and it was sending through Hotmail back then), and one from
  saix.net/telkcom.co.za).

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 720 | 75 | 940 | 72
| Bad bounces | 68 | 22 | 57 | 29

The leading source of bad _HELO_s is 203.90.78.101, with 96 rejections.
The leading source of bad bounces was 012.net.il, followed by
earthlink.net and videotron.ca; other bad bounces came from a random
smattering of all over.

Bad bounces were sent to 23 different bad usernames this week. The
leading target, with 39 attempts, was an old user account, long
since removed; after that, with 6 attempts, comes our old friend
_noreply_. Apart from that, almost all of the bounces went to things
like _OtisVentura_, with a smattering of old local users.