== Weekly spam summary on July 21st, 2007

This week, we:

* got 12,549 messages from 259 different IP addresses.
* handled 19,129 sessions from 1,520 different IP addresses.
* received 291,606 connections from at least 79,247 different IP
  addresses.
* hit a highwater of 8 connections being checked at once.

Connection volume is up pretty noticeably from [[last week
SpamSummary-2007-07-14]]. Connection volume fluctuated over
the map over the week:

| Day             | Connections     | different IPs       
| Sunday          | 31,555          | +10,497             
| Monday          | 42,627          | +13,490             
| Tuesday         | 51,031          | +13,379             
| Wednesday       | 48,042          | +12,291             
| Thursday        | 47,331          | +11,707             
| Friday          | 39,278          | +9,727              
| Saturday        | 31,742          | +8,156              

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 213.4.149.12          43855   2281K terra.es
 68.230.240.0/23       39764   1931K cox.net
 195.238.6.226         22971   1103K
 205.152.59.0/24       21039    954K bellsouth.net
 213.29.7.0/24         18151   1089K centrum.cz
 196.28.61.0/24        10680    513K
 212.175.13.129         9065    544K
 202.161.93.77          8000    439K
 74.128.0.0/24          3162    147K insightbb.com
 216.213.172.11         3129    172K

Volume is up from [[last week]], although not hugely, and it is more
unevenly distributed; the top is higher and the bottom is lower. We
have insightbb.com blocked as a source of webmail based advance fee
fraud, like the other /24s on the list.

* 195.238.6.226 is a skynet.be/belgacom.be machine; we haven't talked
  to them for some time for various reasons.
* 212.175.13.129 returns from [[earlier this month SpamSummary-2007-07-07]]
  and several times before, still trying a bad _HELO_.
* 202.161.93.77 is an APNIC IP address with bad reverse DNS.
* 216.213.172.11 is still a qsnews.net machine, just as it was [[last
  week]].

I continue to be impressed with how qsnews.net is not on various DNS
blocklists; I have no idea how they manage it.

Connection time rejection stats:

  115523 total
   68833 bad or no reverse DNS
   38937 dynamic IP
    6058 class bl-cbl
     263 class bl-pbl
     192 qsnews.net
      93 class bl-sbl
      75 class bl-dsbl
      72 reliablehosting.com
      24 acceleratebiz.com
       9 class bl-njabl
       2 class bl-sdul

It is hard to contain myself about the amazing coincidence that nine
different acceleratebiz.com IPs, each with a different domain name,
all tried to send us email this week (sometimes multiple times).
I'm sure it's also a coincidence that most of them appear to have
the same do-nothing website, too.

The highest source of SBL rejections this week was [[SBL48694
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL48694]]
(the artists-networkinfo.com known spammers, listed 24
June) with 35 rejections. Second place goes to [[SBL53722
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53722]] (cavtel.net,
advance fee fraud spam, listed 19 April) with 15 rejections.

Ten of the top 30 most rejected IP addresses were rejected 100 times
or more this week; the leader is 196.218.140.174 (652 rejections),
with (dis)honorable mentions for 217.54.2.210 (330 rejections),
and 220.192.171.108 (297 rejections). All got rejected for having
bad or missing reverse DNS.

Sixteen of the top 30 are currently in the CBL, two are currently
in _bl.spamcop.net_, thirteen are in the PBL, and a grand total of
twenty three are in zen.spamhaus.org.

(Locally, 24 were rejected for bad or missing reverse DNS, four
for being people we don't want to talk to, and two for being
classified as dynamic IPs.)

This week Hotmail had:

* 6 messages accepted; I'm reasonably sure that at least three of
  them were spam.
* no messages rejected because they came from non-Hotmail email
  addresses.
* 39 messages sent to our spamtraps.
* 1 message refused because its sender address had already hit
  our spamtraps.
* 4 messages refused due to their origin IP address (one in the CBL,
  two from the Cote d'Ivoire, and one from a South African wireless
  ISP).

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 1120 | 113 | 705 | 95
| Bad bounces | 350 | 210 | 219 | 94

This week is distinctly worse than [[last week]]. The leading
sources of bad _HELO_ attempts this week were 70.136.191.16 (118
attempts) and 216.23.126.213 (105 attempts); both were using names that
ended in _.local_.

Bad bounces were sent to 318 different bad usernames this week, with
the most popular one being a tie between _charron_ and _LucasLaird_
with 4 attempts each; [[last week]]'s _qp3902_ made one appearance. I
am not going to try to assess what bad user name pattern was the most
prevalent; interesting bad usernames included the minimalistic _s_, the
all-digits _405_, the interesting _mayumi-totoro_ and _kinako-cat_, and
the peculiar _0ue38815349020h_. A number were sent to ex-users.

The dominant bad bounce source this week seems to be Japan, especially
ezweb.ne.jp; it is awfully tempting to block them entirely, since they
haven't sent us any actual email in at least the past month and they
keep doing this. But if I went down that road, there are any number of
ISPs that would make the list.