== Weekly spam summary on August 11th, 2007

This week, we:

* got 11,040 messages from 245 different IP addresses.
* handled 20,069 sessions from 1,915 different IP addresses.
* received 344,743 connections from at least 97,338 different IP
  addresses.
* hit a highwater of 42 connections being checked at once.

Connection volume is down from [[last week SpamSummary-2007-08-04]].
This week the volume peak was clearly on Monday instead of Wednesday:

| Day             | Connections     | different IPs       
| Sunday          | 47,387          | +14,319             
| Monday          | 62,687          | +17,866             
| Tuesday         | 43,800          | +12,720             
| Wednesday       | 40,725          | +11,191             
| Thursday        | 56,906          | +16,513             
| Friday          | 53,297          | +14,396             
| Saturday        | 39,941          | +10,333             

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 213.4.149.12          47178   2453K terra.es
 205.152.59.0/24       30310   1374K bellsouth.net
 213.29.7.0/24         24588   1475K centrum.cz
 68.230.240.0/23       18445    896K cox.net
 204.202.242.0/24       8250    429K rapidsite.net
 70.54.178.101          8181    393K
 208.11.149.93          5832    280K
 66.106.101.58          4611    235K
 68.168.78.0/24         4545    218K adelphia.net
 68.167.174.247         4109    192K

Overall volume is up slightly from [[last week]]. The number of
individual IPs that are making the top ten remains low; I suspect that
this is going to be the pattern, since I doubt the advance fee fraud
spammers exploiting all of the various ISPs doing too-open webmail are
going to stop trying to email us any time soon.

* 70.54.178.101 kept trying with an origin address that tripped our
  spamtraps the [[last time they tried SpamSummary-2007-06-02]].
* 208.11.149.93 is on the DSBL; [[last week]] it just made the top
  connection time stats, but it's moved up this week.
* 66.106.101.58 also returns from [[last week]], still in
  [[SBL57028 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL57028]].
* 68.167.174.247 returns from [[late July SpamSummary-2007-07-28]] and
  is still something we consider a dynamic IP.

Connection time rejection stats:

  135251 total
   63818 bad or no reverse DNS
   61561 dynamic IP
    7550 class bl-cbl
     478 class bl-pbl
     314 class bl-dsbl
     218 class bl-sbl
     189 premia networks
     184 qsnews.net
     133 class bl-sdul
      58 acceleratebiz.com
      26 class bl-njabl

Here 'premia networks' is 64.235.54.0/24 and 64.235.57.0/24, yet another
place that lights up our spamtraps in a particularly telling, broad
distributed, and aggressive manner. Perhaps there is an innocent
explanation, but in the mean time we aren't going to be talking to them.

The highest source of SBL rejections this week is the same as [[last
week]]: [[SBL57113 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL57113]]
aka 'speed tech inc', with 117 rejections. Following it is
[[SBL48694 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL48694]] with
23 rejections, also returning from [[last week]], and
[[SBL57435 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL57435]]
aka 'fisksox.com et al' with 10 rejections.

Sixteen of the top 30 most rejected IP addresses were rejected 100
times or more this week. The leader is 210.56.96.91 with a jaw
dropping 6,877 rejections, followed by 61.17.143.183 (1,882 rejections)
and 201.230.180.203 (1,230 rejections); everyone else has less then 500.

Fifteen of the top 30 are currently in the CBL, eight are currently
in _bl.spamcop.net_, fourteen are in the PBL, and a grand total of
nineteen are currently in zen.spamhaus.org.

(Locally, 22 were rejected for bad or missing reverse DNS, 4 for being
dynamic addresses, two for being people we don't want to talk to, one
for being in the DSBL, and one for being in the CBL.)

This week, Hotmail had:

* 3 messages accepted.
* no messages rejected because they came from non-Hotmail email
  addresses.
* 46 messages sent to our spamtraps.
* 2 messages refused because their sender addresses had already hit
  our spamtraps.
* 4 messages refused due to their origin IP address (two in the CBL,
  one in [[SBL44539 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL44539]],
  and one from the Cote d'Ivoire).

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 1874 | 176 | 625 | 126
| Bad bounces | 692 | 487 | 82 | 51

The leading source of bad _HELO_ attempts this week is 67.50.159.134
(92 attempts with a _.local_ name), followed by 67.79.168.3 (81
attempts) and 62.225.190.98 (58 attempts). I continue to grind my
teeth at the popularity of throwing _.local_ around on the general
Internet.

Bad bounces were sent to 680 different bad usernames this week, with
the most popular one being a many-way tie at two attempts each between
the bad usernames oretachi-rowringzoku, oldeng, mytool, masaru-12-25,
an ex-user, ky99, hustler-hildreth, dfgdgdgiyrww, bekind, Ned, and
Dankertybpd. That pretty much gives the flavour of the bad usernames
this week right there, with a few like _GordyBaze_ thrown in for good
measure.