== Weekly spam summary on May 5th, 2007

This week, we:

* got 11,805 messages from 264 different IP addresses.
* handled 19,470 sessions from 1,321 different IP addresses.
* received 170,583 connections from at least 62,048 different IP
  addresses.
* hit a highwater of 11 connections being checked at once.

We had more sessions and more IPs connecting to us this week than
[[last week SpamSummary-2007-04-28]] but less total connections,
and your guess is as good as mine as to what it really means (if
anything).

| Day             | Connections     | different IPs       
| Sunday          | 21,310          | +8,843              
| Monday          | 32,292          | +13,696             
| Tuesday         | 23,799          | +8,856              
| Wednesday       | 22,444          | +6,896              
| Thursday        | 25,018          | +8,174              
| Friday          | 28,093          | +9,787              
| Saturday        | 17,627          | +5,796              

This week Monday and Friday were the big days, with a run-down on
Tuesday and a run-up on Thursday.

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 68.230.240.0/23       34228   1662K cox.net
 206.123.109.0/27      20656   1135K otcpicknews
 213.4.149.12          19454   1012K
 205.152.59.0/24       18745    850K bellsouth.net
 68.168.78.0/24        13503    648K adelphia.net
 213.29.7.0/24          9039    542K centrum.cz
 202.154.224.43         7387    443K
 195.5.254.0/24         4216    231K nerim.net
 200.68.116.133         4163    200K
 67.53.104.2            4000    192K

Since the otcpicknews.com people are still at it, I've now awarded
them their very own permanent kernel block entry. Otherwise, volume
is up somewhat from [[last week]], and this week sees the addition
of nerim.net to our rolling 'too much bad stuff' /24 blocks; they
kept retrying stuff that had already tripped our spamtraps from an
ever-changing set of hosts in that /24, and I got tired of shooting them
down one by one.

* 213.4.149.12 returns from [[last week]], still mailhost.terra.es.
* 202.154.224.43 kept trying to send email with an origin address that
  had already tripped our spamtraps (probably advance fee fraud
  spam).
* 200.68.116.133 has bad reverse DNS information.
* 67.53.104.2 kept trying with a bad _HELO_.

It is pretty striking and depressing that the top ten is more than
half network blocks this week, most of them blocked for excessive
amounts of advance fee fraud spam.

Connection time rejection stats:

   39579 total
   21321 dynamic IP
   12543 bad or no reverse DNS
    4225 class bl-cbl
     204 class bl-pbl
     119 qsnews.net
     108 acceleratebiz.com
     105 216.75.6.0/24
     104 class bl-dsbl
      99 class bl-sbl
      96 otcpicknews.com
      95 class bl-njabl
      74 class bl-sdul
      24 verticalresponse.com

I note in passing how startlingly common it is for me to block the /24 a
spammer hit us from and magically have that /24 light up in our stats,
with connection attempts from all sorts of oddly named machines that
we've never heard of before.

The highest source of SBL rejections this
week is the same as [[last week]]: [[SBL49395
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL49395]] at 27 hits,
a /24 listing for swishmail.com from December 23rd. Following it is
[[SBL50181 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL50181]]
with 23 rejections (microcamp.com.br's compromised web server,
which has made the list several times before), and [[SBL52705
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL52705]] with 14
rejections (an advance fee fraud spam source listed March 23rd).

Only one of the top 30 most rejected IP addresses was rejected 100 times
or more this week: 62.42.51.127, an onolab.com dynamic IP address, was
rejected 241 times. Nine of the top 30 are currently in the CBL, one is
in [[SBL34922 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL34922]],
three are currently in _bl.spamcop.net_, seven are in the PBL, and a not
so grand total of 11 of the 30 are in zen.spamhaus.org.

(Locally, 10 were rejected as dynamic IP addresses, 9 for having bad
or missing reverse DNS, 7 for being from various places we don't want
to talk to, two for being in the CBL, one for being in the NJABL, and
one for being in the [[DSBL http://www.dsbl.org/]].)

This week Hotmail achieved:

* 2 messages accepted.
* no messages rejected because they came from non-Hotmail email
  addresses.
* 34 messages sent to our spamtraps.
* 1 message refused because its sender addresses had already hit
  our spamtraps.
* 3 messages refused due to their origin IP address (one in the CBL,
  one from the Cote d'Ivoire, and one from Burkina Faso).

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 674 | 55 | 699 | 69
| Bad bounces | 42 | 23 | 125 | 57

The leading bad _HELO_ source is 67.52.252.210, with 73 tries.

Bad bounces were sent to 36 different bad usernames this week, which
is coincidentally the same number as [[last week]]; the most popular
was _nutvmme_, with 3 attempts. Usernames like _ClydeCall_ continue
to be the most popular variety, sprinkled with valid ex-users, some
a few things like _kenburr_, and random jumbles. This week, Earthlink
is the leading source of bad bounces, with additional contributions
from all over.