== Weekly spam summary on April 28th, 2007 This week, we: * got 11,321 messages from 292 different IP addresses. * handled 18,443 sessions from 1,247 different IP addresses. * received 176,017 connections from at least 61,753 different IP addresses. * hit a highwater of 7 connections being checked at once. This is slightly up from [[last week SpamSummary-2007-04-21]], especially the number of different IP addresses hitting us. The drop in email messages may be because we're towards the end of university exams, when things tend to get a bit quiet. | Day | Connections | different IPs | Sunday | 26,858 | +9,992 | Monday | 26,131 | +9,688 | Tuesday | 30,224 | +10,405 | Wednesday | 33,942 | +10,356 | Thursday | 26,933 | +8,622 | Friday | 18,944 | +7,395 | Saturday | 12,985 | +5,295 The spammers seem to have jumped on us in the middle of the week, and then started to fall off later on. Probably this is not going to be a long-term trend. Kernel level packet filtering top ten: Host/Mask Packets Bytes 68.230.240.0/23 39449 1916K cox.net 68.168.78.0/24 19607 941K adelphia.net 213.29.7.0/24 15449 927K centrum.cz 213.4.149.12 13035 678K 205.152.59.0/24 12831 582K bellsouth.net 206.123.109.0/27 9250 508K 81.115.40.8 5319 284K 65.175.90.190 2877 158K 193.25.197.0/24 2619 157K 65.75.64.3 2619 126K Volume is slightly down from [[last week]], and has shuffled around quite a bit. * 213.4.149.12 is terra.es, and returns from [[last week]] and many times before. * 206.123.109.0/27 is a tendril of otcpicknews.com and returns from [[last week]]. * 81.115.40.8 is a telecomitalia.it generic host, and returns from [[late Feburary SpamSummary-2007-03-24]] and a number of times before then. * 65.175.90.190 kept trying to send us stuff with an origin address that had tripped our spam traps. It's been doing this for some time, but this is the first week it's made our top ten. * 193.25.197.0/24 is celeonet.fr; it also kept trying to send us stuff that had already tripped our spamtraps, but it was sending from so many IP addresses that I just blocked the entire /24. * 65.75.64.3 kept trying with a bad _HELO_ name. Connection time rejection stats: 41556 total 22293 dynamic IP 13326 bad or no reverse DNS 4565 class bl-cbl 234 qsnews.net 222 class bl-njabl 105 acceleratebiz.com 110 class bl-dsbl 95 class bl-pbl 71 class bl-sdul 70 class bl-sbl The highest source of SBL rejections this week is [[SBL49395 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL49395]] at 25 rejections, which is labeled as 'swishmail.com' and appears to be a dirty /24 used by a spammer and was listed 23 December 2006. Following it is [[SBL45324 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL45324]] with 17 rejections, a /24 ROKSO listing for Brian Kramer aka Expedite Media Group, listed 26 December 2006. Three of the top 30 most rejected IP addresses were rejected 100 times or more this week; 216.213.172.11 (156 times, qsnews.net), 200.62.58.67 (123 times, missing reverse DNS), and 87.51.151.182 (106 times, tele.dk ADSL). Ten of the top 30 are currently in the CBL, none are currently in _bl.spamcop.net_ (somewhat to my surprise), eight are in the PBL, and a grand total of 14 are in zen.spamhaus.org. (Locally, 13 were rejected for bad or missing reverse DNS, 9 as dynamic IPs, 3 as being from various places we don't want to talk to, 3 for being in the NJABL, and one each for being in the DSBL and the CBL.) This week, Hotmail did: * no messages accepted. * no messages rejected because they came from non-Hotmail email addresses. * 24 messages sent to our spamtraps. * 16 messages refused because their sender addresses had already hit our spamtraps. * 4 messages refused due to their origin IP address (two in the CBL, one in [[SBL48677 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL48677]], an advance fee fraud spam source listing from December 1st 2006, and one from the Cote d'Ivoire). And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 699 | 69 | 720 | 75 | Bad bounces | 125 | 57 | 68 | 22 Bad bounces have almost doubled from [[last week]], and the number of sources has more than doubled. On the slightly bright side, at least the bad _HELO_ count has dropped slightly. The leading bad _HELO_ source is 70.16.191.87 (72 tries), followed by 216.212.61.226 (67 tries). Bad bounces were sent to 36 different bad usernames this week. The leading target, with *84* attempts, was an old user. After that we saw attempts to old users, the ever-popular _noreply_, some random jumbles like _xgosk02_, and a variety of names like _MyraRogers_. This week the bounces seem to have come from all over; the leading source is chello.at, followed by a Polish ISP and Earthlink. Various places in Eastern Europe seem to be popular bounce sources in general.