== Weekly spam summary on June 30th, 2007

This week, we:

* got 10,108 messages from 265 different IP addresses.
* handled 22,107 sessions from 2,055 different IP addresses.
* received 271,991 connections from at least 75,816 different IP
  addresses.
* hit a highwater of 13 connections being checked at once.

Volume is definitely up from [[last week SpamSummary-2007-06-23]].
As the per day table illustrates, spammers seem to still prefer
Wednesday for their big day:

| Day             | Connections     | different IPs       
| Sunday          | 30,361          | +10,541             
| Monday          | 33,717          | +10,522             
| Tuesday         | 48,138          | +13,716             
| Wednesday       | 53,070          | +12,528             
| Thursday        | 36,163          | +10,467             
| Friday          | 39,189          | +10,501             
| Saturday        | 31,353          | +7,541              

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 213.4.149.12          48724   2534K
 205.152.59.0/24       18437    836K bellsouth.net
 206.123.109.0/27      17088    944K otcpicknews.com
 68.230.240.0/23       16148    784K cox.net
 68.167.174.246        12468    584K
 199.239.248.157       11273    556K
 68.168.78.0/24        10395    499K adelphia.net
 64.191.86.69           5511    331K
 208.108.197.97         4850    266K
 209.16.79.66           4122    198K

Here too volume is up from [[last week]], although not as much.

* 213.4.149.12 returns from [[last week]] and many prior appearances,
  once again showing no signs of giving up.
* 68.167.174.246 also returns from [[last week]]. As it happens, they
  appear to be 'thegrantinstitute.com' (according to their SMTP banner),
  which is someone we don't want to talk to anyways.
* 199.239.248.157 kept trying to send us phish spam.
* 64.191.86.69 is in hostnoc.net space and doesn't have working reverse
  DNS.
* 208.108.197.97 kept trying to send mail with an origin address that
  had already tripped our spamtraps.
* 209.16.79.66 kept trying a bad _HELO_.

Connection time rejection stats:

   85848 total
   48063 bad or no reverse DNS
   30626 dynamic IP
    5052 class bl-cbl
     318 class bl-pbl
     249 qsnews.net
     164 dartmail.net
     110 class bl-dsbl
      96 class bl-sdul
      85 class bl-sbl
      42 216.75.6.0/24
      30 class bl-njabl

The highest source of SBL rejections this week was technically
200.221.11.147 with 16 rejections, but their SBL record has already
been removed; since this is zipmail.com.br, I will speculate wildly
that they were listed for sourcing lots of advance fee fraud spam,
which is certainly why we don't talk to them. After that was
[[SBL56008 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL56008]]
with 13 rejections and [[SBL53722
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53722]] with 10
rejections; both of them seem to have been listed as advance fee fraud
spam sources.

Nine of the top 30 most rejected IP addresses were rejected 100 times
or more; the champion is 202.61.62.248 (1,296 rejections), followed by
202.196.43.168 (750 rejections), 189.130.216.253 (437 rejections, bad),
189.130.216.241 (362 rejections), and 189.130.216.208 (178 rejections).
All of them were rejected for bad or missing reverse DNS, but except for
202.196.43.168, of them are also on either or both of the CBL and the
PBL.

Thirteen of the top 30 are currently in the CBL, two are in the SBL (in
[[SBL55457 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL55457]] and
[[SBL52160 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL52160]], which
is a depressing March 22nd listing of a Chinese /18 for spammer hosting),
five are currently in _bl.spamcop.net_, eleven are in the PBL, and a
grand total of 17 are in zen.spamhaus.org.

(Locally, 22 were rejected for bad or missing reverse DNS, 4 for
being dynamic IPs, and 4 for being various people we don't want
to talk to.)

This week, Hotmail had:

* 5 messages accepted.
* no messages rejected because they came from non-Hotmail email
  addresses.
* 39 messages sent to our spamtraps.
* 3 messages refused because their sender addresses had already hit
  our spamtraps.
* 13 messages refused due to their origin IP address (eight in the CBL,
  two in [[SBL21128
  http://www.spamhaus.org/SBL/sbl.lasso?query=SBL21128]], one in
  [[SBL47233 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL47233]],
  one from Nigeria, and one from Burkina Faso).

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 4120 | 240 | 1072 | 136
| Bad bounces | 688 | 527 | 327 | 194

Things got bad this week. While I expected to find a big source or
two of bad _HELO_s, the leading source this week was 66.55.8.242
with only 132 attempts, followed by 71.35.254.126 (83). Apparently
there were just more people this week in the 30 to 60 attempts range.

Bad bounces were sent to 276 different bad usernames this week, with
the most popular one by far being _jtpnu_ with 130 attempts, followed
by _hvd_ with 68, _pnu_ with 61, _tpnu_ with 58, _dnwga_ with 35,
and _vdnw_ with 31. Various patterns show up, including a surprising
number that look Japanese, and to be generic there was a _fred_ and a
_hello-everybody_ (along with a few ex-users).