== Weekly spam summary on July 7th, 2007

This week, we:

* got 9,123 messages from 254 different IP addresses.
* handled 17,076 sessions from 1,364 different IP addresses.
* received 264,864 connections from at least 70,143 different IP
  addresses.
* hit a highwater of 12 connections being checked at once.

Volume has dropped compared to [[last week SpamSummary-2007-06-30]],
including total messages, which surprises me a bit. As we can see in
the per-day table, spammers definitely didn't take the 4th of July
off:

| Day             | Connections     | different IPs       
| Sunday          | 32,966          | +11,408             
| Monday          | 36,064          | +10,472             
| Tuesday         | 37,471          | +10,684             
| Wednesday       | 39,405          | +8,540              
| Thursday        | 35,548          | +8,294              
| Friday          | 44,618          | +11,289             
| Saturday        | 38,792          | +9,456              

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 213.4.149.12          45750   2379K
 68.230.240.0/23       32348   1571K cox.net
 205.152.59.0/24       23367   1059K bellsouth.net
 206.123.109.0/27      23141   1272K otcpicknews.com
 72.249.13.81          14404    790K
 212.175.13.129        11458    687K
 203.204.118.61        10494    630K
 68.168.78.0/24         9691    465K adelphia.net
 213.4.149.68           8924    518K
 58.186.248.18          7720    371K

By contrast, volume here is up significantly from [[last week]], with
the otcpicknews.com people still valiantly hammering away despite
getting nowhere.

* 213.4.149.12 returns from [[last week]] and many weeks before.
* 72.249.13.81 is beaconresearchnews.com and returns from [[two weeks
  ago SpamSummary-2007-06-23]].
* 212.175.13.129 kept trying a bad _HELO_, which we've seen it do
  [[before SpamSummary-2007-06-02]].
* 203.204.118.61 is [[SBL49970
  http://www.spamhaus.org/SBL/sbl.lasso?query=SBL49970]], and we saw
  it before [[two weeks ago]].
* 213.4.149.68 kept trying with a bad _HELO_.
* 58.186.248.18 is a Vietnamese IP address with no reverse DNS.

Connection time rejection stats:

  108292 total
   74766 bad or no reverse DNS
   26291 dynamic IP
    5170 class bl-cbl
     408 class bl-pbl
     184 qsnews.net
      99 class bl-dsbl
      92 class bl-sbl
      53 class bl-njabl
      44 class bl-sdul
      42 beaconresearchnews.com

Volume is up significantly from [[last week]], with almost all of
it coming from bad reverse DNS issues; the volume jump is even more
striking if you look at this compared to [[two weeks ago]].

The highest source of SBL rejections this week was [[SBL56296
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL56296]] (a compromised
PC used for spam) with 17 rejections. After that was  [[SBL53722
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53722]] (a cavtel.net
webmail machine, advance fee fraud) with 15 rejections and [[SBL49970
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL49970]] with 14 rejections.

Twelve of the top 30 most rejected IP addresses were rejected 100 times
or more this week; the leader is 222.123.154.220 (412 rejections),
followed by 121.46.216.126 (391 rejections), 58.186.248.18 (307
rejections), and 87.217.143.79 (224 rejections, on the CBL). All but
the last were rejected for bad or missing reverse DNS.

Sixteen of the top 30 are currently in the CBL, three are currently
in _bl.spamcop.net_, twelve are in the PBL, and a grand total of
twenty are in zen.spamhaus.org.

(Locally, 20 were rejected for bad or missing reverse DNS, 7 for being
dynamic IP addresses, two for being people we don't want to talk to, and
one for being in the CBL.)

This week, Hotmail managed:

* 3 messages accepted.
* 1 message rejected because it came from a non-Hotmail email
  address (a msn.com address, as it happens).
* 50 messages sent to our spamtraps.
* 3 messages refused because their sender addresses had already hit
  our spamtraps.
* 3 messages refused due to their origin IP address (one in the CBL
  and two from Burkina Faso).

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 825 | 99 | 4120 | 240
| Bad bounces | 222 | 149 | 688 | 527

That's certainly a nice improvement from [[last week]]. The leading
source of bad _HELO_s this week was 67.52.59.170 with 86 attempts.

Bad bounces were sent to 154 different bad usernames this week, with
the most popular one being _qp3902_ with 32 attempts. The most popular
pattern for bad usernames is probably things like _RandyGallagher_, but
we also saw bounce attempts to various others, including things like
_narunaru-gogo_, _jmhn_, and the ever-popular _noreply_, along with
some ex-users. I will call ezweb.ne.jp the most popular source of
bounces, although it's hard to be completely sure; some people send
bounces to us from only a few IPs, while others smear them over big
clusters of machines.