== Weekly spam summary on September 29th, 2007 This week, we: * got 11,909 messages from 265 different IP addresses. * handled 26,934 sessions from 2,995 different IP addresses. * received 297,885 connections from at least 101,029 different IP addresses. * hit a highwater of 16 connections being checked at once. Volume is a bit up from [[last week SpamSummary-2007-09-22]]. Looking at the numbers I am reminded of how striking the number of different IP addresses is; the average connection source made less than three connections to us, where the average session source made nine connections (and the average mail source probably did even better, since that is an average of about 44 messages per IP). | Day | Connections | different IPs | Sunday | 40,875 | +14,708 | Monday | 39,537 | +16,197 | Tuesday | 38,779 | +14,952 | Wednesday | 59,611 | +17,304 | Thursday | 49,560 | +14,939 | Friday | 37,500 | +10,877 | Saturday | 32,023 | +12,052 Apparently the spammers are back to abusing us on Wednesdays. Kernel level packet filtering top ten: Host/Mask Packets Bytes 72.249.13.64/26 19977 1096K otcpicknews.com 213.180.130.0/24 17928 1076K onet.pl 89.18.190.60 13567 814K 68.168.78.0/24 11478 551K adelphia.net 213.29.7.0/24 10808 648K centrum.cz 66.15.119.165 9019 422K 68.230.240.0/23 8400 408K cox.net 139.55.101.14 8287 421K 202.5.93.20 8082 388K 212.170.236.211 6257 375K Volume is significantly up from [[last week]]. * 89.18.190.60 returns from [[last week]]. * 66.15.119.165 kept trying to send us bad _HELO_s and returns from a previous appearance in [[Feburary SpamSummary-2007-02-17]]. * 139.55.101.14 is something we consider a dynamic IP. * 202.5.93.20 is an APNIC IP address with broken reverse DNS. * 212.170.236.211 kept trying with a bad _HELO_. (It warms the black cockles of my heart to see that throwing otcpicknews.com's other netblock straight into our kernel filters was absolutely the right thing to do.) Connection time rejection stats: 83117 total 41427 bad or no reverse DNS 35442 dynamic IP 4001 class bl-cbl 332 class bl-dsbl 291 acceleratebiz.com 261 class bl-pbl 255 class bl-sdul 188 class bl-sbl 125 qsnews.net 86 class bl-njabl 42 officepubs.com 24 verticalresponse.com Perversely, volume is down here compared to [[last week]]. The highest source of SBL rejections this week was [[SBL58952 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL58952]] with 66 rejections (a recent listing for a spam source), followed by [[last week]]'s leading contents of [[SBL53319 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53319]] with 25 rejections and [[SBL48694 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL48694]] with 23 rejections. (Better luck next time, you two! Oh wait, what am I saying? Please drop off the Internet.) Seventeen of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 124.157.174.227 (1,412 rejections), followed by 203.134.218.225 (1,375 rejections) and 61.7.132.40 (301 rejections). Five are currently in the CBL, two are currently in _bl.spamcop.net_, six are currently in the PBL, and a grand total of (only) eight are zen.spamhaus.org. I don't know why these numbers are so low. (Locally, 20 were rejected for bad or missing reverse DNS, 8 for being dynamic IP addresses, one for being in the NJABL, one for being in the DSBL. Two of those have since changed their status and would not be blocked now.) This week, Hotmail had: * 4 messages accepted. * no messages rejected because they came from non-Hotmail email addresses. * 27 messages sent to our spamtraps. * no messages refused because their sender addresses had already hit our spamtraps. * 1 message refused due to its origin IP address being from the Cote d'Ivoire. And the final numbers: | what | # this week | (distinct IPs) | # last week | (distinct IPs) | Bad _HELO_s | 5489 | 399 | 1379 | 190 | Bad bounces | 1521 | 1115 | 287 | 200 Ah. Well. That would explain a certain amount of everything; we seem to have been forged as a spam origin in a big way, judging by how these numbers have jumped so dramatically. The leading source of bad _HELO_s this week was 64.109.69.81 (218 attempts), followed by 84.12.142.111 (89 attempts), 202.134.71.85 (83 attempts), and then a lot more. Bad bounces were sent to 1,421 different bad usernames this week, with the most popular one being _grabes_ with 19 attempts, followed by _NortonPinero_ with 10. _SHOUGEE_ returns from [[last week]] with 3 attempts, mixed in with all sorts of others that I am not going to try to pick through, including ex-users. My pick for the most ironic source of bad bounces this week has to be _AntiSpam.Awesome.net_. (No and no, respectively.)