Our SMTP frontend died (twice) around 8am on Friday morning, so some of the stats for this are partial stats and some of them are missing about two hours of data. That said, this week we:

• got 10,583 messages from 249 different IP addresses.
• handled 17,948 sessions from 1,258 different IP addresses.
• received 257,246 connections from over 50,000 different IP addresses.
• hit a highwater of 7 connections being checked at once.

This is pretty similar to last week. I've managed to reconstruct more or less the per day information:

Day	Connections	different IPs
Sunday	39,600	+11,157
Monday	34,312	+9,774
Tuesday	37,764	+10,198
Wednesday	44,447	+10,857
Thursday	31,044	+8,086
Friday	41,368	+11,090
Saturday	28,711	+8,448

(The one caution is that the 'different IPs' information is not reliable for Friday and Saturday, since it effectively starts from scratch.)

I continue to have no idea why spammers like Wednesday, but clearly they do.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       35913   1744K cox.net
213.4.149.12          27599   1435K terra.es
205.152.59.0/24       19880    901K bellsouth.net
24.155.195.124        18546    890K
213.29.7.0/24         11509    691K centrum.cz
68.167.174.246        10155    477K
76.65.201.70           6896    317K
68.168.78.0/24         5478    263K adelphia.net
206.221.36.51          4443    204K
69.94.123.79           4195    252K

Volume is down from last week.

• 213.4.149.12 returns from last week and many previous appearances, and I'm probably going to stop explicitly noting it since it doesn't seem like it's going to go away any time soon.
• 24.155.195.124 is on the CBL.
• 68.167.174.246 is a covad.net address that we consider dynamic, and returns from the end of June.
• 76.65.201.70, 206.221.36.51, and 69.94.123.79 all kept trying with bad HELOs.

Connection time rejection stats:

 104296 total
  68773 bad or no reverse DNS
  29517 dynamic IP
   4092 class bl-cbl
    492 qsnews.net
    246 class bl-pbl
    103 class bl-dsbl
     80 class bl-sbl
     23 class bl-njabl
      4 class bl-sdul

The highest source of SBL rejections this week was a tie between SBL48694 (known spam source) and SBL44995 (hinet.net mail hosts for the ROKSO listed 'Mei Lung Handicrafts / Chang Wen-Sheng') with thirteen each. Following them is SBL56453 (0catch.com, listed as a repeat advance fee fraud spam source) with seven.

Twelve of the top 30 most rejected IP addresses were rejected 100 times or more this week. Rather than write them out, I'm going to make a table:

2567	58.186.29.226
752	58.69.147.80
484	121.97.172.73
419	200.69.153.217
414	216.213.172.11
368	61.252.110.3
282	86.76.43.248
263	125.234.232.88
194	41.250.128.243
126	85.107.94.89
124	83.214.74.133
102	59.95.207.131

With the exception of 216.213.172.11, all of these were rejected for bad or missing reverse DNS, although almost all are in the CBL and/or the PBL. In general, fifteen of the top 30 are currently in the CBL, four are currently in bl.spamcop.net, seventeen are currently in the PBL, and a grand total of 25 are in zen.spamhaus.org.

(Locally, 27 were rejected for bad or missing reverse DNS, two for being qsnews.net, and one for being a dynamic IP address.)

This week, Hotmail had:

• 6 messages accepted, and I am pretty sure that most of them were spam.
• no messages rejected because they came from non-Hotmail email addresses.
• 47 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 6 messages refused due to their origin IP address (two in the CBL, two in SBL52368, one from a United Arab Emirates satellite ISP provider, and one from the Cote d'Ivoire).

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	705	95	825	99
Bad bounces	219	94	222	149

There is no really leading source of bad HELOs this week, by my standards (I draw the line somewhere around 50 to 75 rejections; no single one got over 45 this week).

Bad bounces were sent to 90 different bad usernames this week, with the most popular one being qp3902 with 82 attempts (the same as last week); the second most popular was actually an internal error, so I'm not going to list it (without it, we actually only had 181 bad bounces this week). The NoemiDotson bad username pattern is still popular, but it's joined by things like mikoponpon, d21terrano, and a number of ex-users.

The biggest single source of bad bounces was 194.242.226.91, with other contributions from all over (including some hinet.net machines; clearly the SBL hasn't listed all of their mail machines yet).