== Weekly spam summary on August 25th, 2007

This week, we:

* got 10,965 messages from 236 different IP addresses.
* handled 18,098 sessions from 1,724 different IP addresses.
* received 376,478 connections from at least 114,062 different IP
  addresses.
* hit a highwater of 18 connections being checked at once.

Things are down a bit from [[last week SpamSummary-2007-08-18]],
but we are still being hammered by spammers, mostly using compromised
zombies. The per day table shows the usual fluctuations, and I may have
to take back what I said [[last week]] about spammers taking the
weekend off:

| Day             | Connections     | different IPs       
| Sunday          | 60,834          | +21,210             
| Monday          | 54,929          | +17,802             
| Tuesday         | 66,120          | +18,975             
| Wednesday       | 46,149          | +12,105             
| Thursday        | 51,054          | +13,753             
| Friday          | 52,125          | +16,444             
| Saturday        | 45,267          | +13,773             

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 213.4.149.12          29344   1526K terra.es
 206.123.109.0/27      26590   1465K otcpicknews.com
 68.230.240.0/23       23006   1117K cox.net
 62.75.224.83          16174    970K
 85.114.132.50         13962    838K
 213.29.7.0/24         13270    796K centrum.cz
 72.249.13.81          12254    675K
 213.4.149.241          9862    526K
 68.168.78.0/24         7506    360K adelphia.net
 209.225.8.0/24         5940    332K charter.net

Total volume is up from [[last week]], but that may be because I got
aggressive about throwing /24s of advance fee fraud webmail spam
sources into the kernel blocks instead of blocking each outbound SMTP
gateway one by one. On the other hand, in the top 10 that only explains
charter.net; all the other subnets are perennial regulars.

* 62.75.224.83 is in a domain that has sent us (too much) phish spam.
* 85.114.132.50 returns from [[last week]], still in [[SBL52705
  http://www.spamhaus.org/SBL/sbl.lasso?query=SBL52705]] and all.
* 72.249.13.81 is beaconreasearchnews.com and returns from [[July
  SpamSummary-2007-07-07]].
* 213.4.149.241 has bad reverse DNS.

Connection time rejection stats:

  177280 total
   91953 dynamic IP
   73454 bad or no reverse DNS
    8910 class bl-cbl
     516 qsnews.net
     378 class bl-pbl
     304 class bl-sbl
     293 class bl-sdul
     253 class bl-dsbl
     128 dartmail.net
      38 class bl-njabl
      33 officepubs.com

The drastic drop in PBL rejections may partly be because we lost access
to the Spamhaus DNSBLs for a few days this week (and may lose access to
them for longer, depending on how things shake out). I'd say the same
thing about the SBL, but it is actually up somewhat this week.

The highest source of SBL rejections this week is [[SBL57946
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL57946]] with 263
rejections; Spamhaus lists this as a /28 of 'spam sources',
with the record created August 18th. The next up is [[SBL57804
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL57804]], returning from
[[last week]] but with only 9 rejections this time around; this may
partly be because we have more or less explicit blocks for that network
now.

Eighteen of the top 30 most rejected IP addresses were rejected 100
times or more this week. The leader is 88.234.24.235 (1,940 rejections),
followed by 200.28.226.14 (1,215 rejections) and 85.96.134.232 (565
rejections). Thirteen of the top 30 are currently in the CBL, twelve are
currently in _bl.spamcop.net_, twenty six are in the PBL, and a grand
total of twenty nine are in zen.spamhaus.org; the one IP address out of
the top 30 that is not in zen.spamhaus.org is a qsnews.net machine.

(Locally, 15 were rejected for bad or missing reverse DNS, 13 for being
dynamic IP addresses, 1 for being qsnews.net, and 1 for being in the
CBL.)

This week, Hotmail had:
* 2 messages accepted.
* 1 messages rejected because it came from a non-Hotmail email
  address, in this case a msn.com address.
* 33 messages sent to our spamtraps.
* 3 messages refused because their sender addresses had already hit
  our spamtraps.
* 2 messages refused due to their origin IP address (one from saix.net,
  one from the Cote d'Ivoire).

And the final numbers:
| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 949 | 168 | 1782 | 232
| Bad bounces | 162 | 121 | 339 | 268

There was no particularly leading source of bad _HELO_s this week;
the highest were 207.245.38.236 (58 attempts) and 203.86.238.105
(51 attempts), both with _.local_ names.

Bad bounces were sent to 152 different bad usernames this week, with the
most popular one being _SHOUGEE_ with 7 attempts. Typical bad usernames
and patterns included _xxqsfclq_, _JarvisSloan_, _Eloy_, _mj_, and
_sdasa285_; I'm not going to try to pick a winner among the patterns
this week. The most disheartening source of bad username bounces has to
be two from _mail-abuse.org_.