== Weekly spam summary on June 16th, 2007

This week, we:

* got 10,437 messages from 238 different IP addresses.
* handled 19,475 sessions from 1,336 different IP addresses.
* received 213,499 connections from at least 71,964 different IP
  addresses.
* hit a highwater of 8 connections being checked at once.

This is down from [[last week SpamSummary-2007-06-09]] on the absolute
numbers, but may be up somewhat if we exclude the effects of the one
prolific connector from [[last week]]'s numbers. On the other hand,
the per day numbers are floating all over the map:

| Day             | Connections     | different IPs       
| Sunday          | 29,880          | +12,325             
| Monday          | 32,009          | +11,720             
| Tuesday         | 26,008          | +8,842              
| Wednesday       | 28,879          | +8,772              
| Thursday        | 40,321          | +11,547             
| Friday          | 31,229          | +10,212             
| Saturday        | 25,173          | +8,546

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 68.230.240.0/23       30243   1469K cox.net
 205.152.59.0/24       23438   1063K bellsouth.net
 213.4.149.12          20606   1075K
 68.168.78.0/24        13129    630K adelphia.net
 70.22.152.139          8783    411K
 216.244.151.246        8629    518K
 213.4.149.11           8429    438K
 72.244.103.211         8220    384K
 71.140.111.241         4791    224K
 74.15.184.141          4128    193K

This is down from [[last week]], and also only a few bad webmail
sources have made the top ten this time around; for once, most of
them are individual IPs.

* 213.4.149.12 and 213.4.149.11 return from [[last week]] and many
  previous engagements.
* 70.22.152.139 is in [[NJABL http://www.njabl.org/]].
* 216.244.151.246 was in the SBL, but the listing has been removed
  since it started banging on the door.
* 72.244.103.211 is something we consider a dynamic IP, and returns
  from [[two weeks ago SpamSummary-2007-06-02]].
* 71.140.111.241 kept trying to send us phish spam that had already
  tripped our spamtraps.
* 74.15.184.141 kept trying with a bad _HELO_ name.

Connection time rejection stats:

   58982 total
   29047 dynamic IP
   23305 bad or no reverse DNS
    4801 class bl-cbl
     316 qsnews.net
     314 class bl-dsbl
     271 class bl-njabl
     180 class bl-pbl
     176 class bl-sbl
      62 216.75.6.0/24
      37 acceleratebiz.com
      33 class bl-sdul

The funny /24 is 'IBS Hosting Corp' aka web1host.net of Tampa
Florida, and we have [[seen them before SpamSummary-2007-05-12]].
The highest source of SBL rejections this week was 216.244.151.246
with 87 rejections, but its SBL listing has been removed,
so the highest source still in the SBL is [[SBL55450
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL55450]] (24 rejections,
a spam source), followed by [[SBL54907
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL54907]] (23
rejections, a virus spam source).

(Some trawling in news.admin.net-abuse.sightings suggests that we do
not want to talk to 216.244.151.246 aka ebizlatin.com even if the SBL
no longer lists them, so I have added them to our local blocklist.)

Four of the top 30 most rejected IP addresses were rejected 100 times
or more this week, with the leader being 216.213.172.11 (237 rejections
for being a qsnews.net machine). Nine of the top 30 are currently in the
CBL, seven are currently in _bl.spamcop.net_, seven are in the PBL, and
a grand total of fourteen of the 30 are in zen.spamhaus.org.

(Locally, 14 were rejected for missing or bad reverse DNS, 9 for being
dynamic IPs, 3 for being people we don't want to talk to, 2 for being in
the DSBL, one for being in the SBL, and one for being in the [[NJABL]].)

This week, Hotmail had:

* 2 messages accepted.
* no messages rejected because they came from non-Hotmail email
  addresses.
* 48 messages sent to our spamtraps.
* 6 messages refused because their sender addresses had already hit
  our spamtraps.
* 9 messages refused due to their origin IP address (three for being
  in the CBL, two for being in [[SBL52368
  http://www.spamhaus.org/SBL/sbl.lasso?query=SBL52368]] two for being
  from Burkina Faso, one for being from SAIX, and one for being in
  [[SBL32972 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL32972]],
  a listing from November ~~2005~~).

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 1557 | 118 | 1232 | 128
| Bad bounces | 185 | 141 | 312 | 177

The leader sources of bad _HELO_s this week are 206.51.227.134 (154
rejections), 66.6.97.210 (104 rejections), and 71.29.93.35 (77
rejections). Only one of them used a clearly bogus _HELO_ name; the
others just picked unresolvable ones.

Bad bounces were sent to 178 different bad usernames this week; the most
popular position is a seven-way tie between _indra_, _JeffereyMoore_
_GradyConklin_, _GoldieSimon_, _ElinorPowers_, _DennisSalazar_, and
_DariusEsparza_, each of which had two attempts. This also neatly shows
which sort of bad usernames were the most popular overall, although we
saw a few odd ones like _har-miy_. No particular source of bad bounces
stands out; contributions came from what are by now all of the usual
suspects.