== Weekly spam summary on August 18th, 2007

This week, we:

* got 12,100 messages from 261 different IP addresses.
* handled 22,629 sessions from 2,180 different IP addresses.
* received 434,144 connections from at least 121,837 different IP
  addresses.
* hit a highwater of 31 connections being checked at once.

So much for any chance that volume would go down compared to
[[last week SpamSummary-2007-08-11]]. I believe that the higher
session volume is at least partly because of compromised spam
zombies getting past my relatively weak greylisting precautions.

| Day             | Connections     | different IPs       
| Sunday          | 40,431          | +15,128             
| Monday          | 65,293          | +17,229             
| Tuesday         | 77,288          | +17,074             
| Wednesday       | 70,746          | +20,302             
| Thursday        | 61,045          | +17,116             
| Friday          | 69,455          | +18,689             
| Saturday        | 49,886          | +16,299

The peak day may be migrating back to Wednesday, but really, all that
seems reasonably apparent is that some spammers take weekends off.

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 213.4.149.12          25371   1319K terra.es
 68.230.240.0/23       19247    935K cox.net
 213.29.7.0/24         17643   1059K centrum.cz
 68.168.78.0/24        11520    553K adelphia.net
 213.4.149.68           8350    484K
 195.238.6.228          7739    371K
 61.128.0.0/10          6192    342K China
 85.114.132.50          5932    356K
 62.94.0.34             4727    212K
 200.63.215.74          4568    219K

Volume here is down from [[last week]], and not as many of the usual
open webmail suspects have shown up.

* 213.4.149.68 kept trying with a bad _HELO_; we saw it before in
  [[early July SpamSummary-2007-07-07]].
* 195.238.6.228 returns from [[late July SpamSummary-2007-07-28]].
* 85.114.132.50 is [[SBL52705
  http://www.spamhaus.org/SBL/sbl.lasso?query=SBL52705]], although
  we don't talk to fastwebserver.de anyways.
* 62.94.0.34 is another place we don't talk to because of open
  webmail; it previously appeared [[all the way back in December
  of 2006 SpamSummary-2006-12-23]].
* 200.63.215.74 has bad reverse DNS.

Connection time rejection stats:

  203098 total
   96920 bad or no reverse DNS
   91776 dynamic IP
   10786 class bl-cbl
    1121 class bl-pbl
     264 class bl-sdul
     264 class bl-dsbl
     213 class bl-sbl
     154 dartmail.net
      48 acceleratebiz.com
      46 officepubs.com
      45 67.98.250.0/24
      19 class bl-njabl

This is quite a volume increase over [[last week]], almost all of
it in the top four reasons. The highest source of SBL rejections
this week is
[[SBL57804 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL57804]],
a /18 listed as a 'spam source range', with 66 rejections. Following it
is [[SBL49824 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL49824]]
)a /27 listed 27 January) with 21 rejections, and
[[SBL52705 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL52705]]
(85.114.132.50) with 19 rejections, and
[[SBL55920 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL55920]]
(another advance fee fraud spam source) with 17 rejections.

Eighteen of the top 30 most rejected IP addresses were rejected 100 times
or more this week. The leader is 200.63.215.74 (2,259 rejections), followed
by 201.9.243.8 (644 rejections) and 190.65.82.107 (572 rejections).
Seventeen of the top 30 are currently in the CBL, seven are currently in
_bl.spamcop.net_, twenty are in the PBL, and a grand total of 26 are
in zen.spamhaus.org.

(Locally, 19 were rejected for bad or missing reverse DNS, 10 for being
dynamic IP addresses, and one for being in the CBL.)

This week, Hotmail had:

* 2 messages accepted.
* no messages rejected because they came from non-Hotmail email
  addresses.
* 26 messages sent to our spamtraps.
* 1 messages refused because its sender address had already hit
  our spamtraps.
* 4 messages refused due to their origin IP address (two in the CBL,
  one from Ghana, and one from the Cote d'Ivoire).

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 1782 | 232 | 1874 | 176
| Bad bounces | 339 | 268 | 692 | 487

The leading source of bad _HELO_ attempts this week is 212.15.28.2
(87 attempts), followed by 67.113.162.150 and 64.80.183.134 at 67
attempts each.

Bad bounces were sent to 297 different bad usernames this week, with
the most popular one being _RalphPlatt_ with 7 attempts. That bad
username pattern staged a resurgence this week, although it is still
fighting it out with various other ones like _robachan_ and _p886_.
Interestingly, I am now seeing some names like _kostaqHovern_ with a
capital shoved in the middle of the username.