== Weekly spam summary on October 13th, 2007

This week, we:

* got 11,905 messages from 252 different IP addresses.
* handled 27,710 sessions from 2,367 different IP addresses.
* received 342,122 connections from at least 124,401 different IP
  addresses.
* hit a highwater of 36 connections being checked at once.

Connection volume seems up a bit from [[last week SpamSummary-2007-10-06]],
although it's hard to be entirely sure. Session volume is definitely
up, pretty much to the level it was two weeks ago.

| Day             | Connections     | different IPs       
| Sunday          | 52,106          | +22,241             
| Monday          | 72,645          | +27,772             
| Tuesday         | 47,247          | +16,403             
| Wednesday       | 33,365          | +13,620             
| Thursday        | 52,521          | +21,076             
| Friday          | 48,166          | +12,650             
| Saturday        | 36,072          | +10,639

It's interesting that this seems to vary all over the map from day to
day, and it amuses me that Wednesday, for long the most active day, is
the least active day this week.

Kernel level packet filtering top ten:

 Host/Mask           Packets   Bytes
 213.180.130.0/24      22255   1335K onet.pl
 72.249.13.64/26       14924    819K otcpicknews.com
 68.230.240.0/23       12994    631K cox.net
 213.4.149.241         10710    571K
 218.0.0.0/11           8620    419K CHINANET
 68.99.120.0/24         8496    400K coxmail.net
 204.127.225.0/24       6321    405K comcast.net
 206.18.177.0/24        6146    393K comcast.net
 213.29.7.0/24          5579    335K centrum.cz
 209.51.135.180         5141    282K

Volume is down a bit from [[last week]], but not really significantly,
and once again almost of the top 10 is netblocks.

* 213.4.149.241 kept trying with bad _HELO_s; we saw it before in 
  [[August SpamSummary-2007-08-25]].
* 209.51.135.180 kept trying to send us mail with an origin address
  that had already tripped our spamtraps.

Connection time rejection stats:

  111794 total
   54499 bad or no reverse DNS
   47536 dynamic IP
    5567 class bl-cbl
     973 class bl-pbl
     458 class bl-dsbl
     317 qsnews.net
     296 class bl-sbl
     280 class bl-sdul
     149 class bl-njabl
     129 dartmail.net
     125 acceleratebiz.com

The highst source of SBL rejections this week is
[[SBL56712 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL56712]]
with 94 rejections (a /28 listed as a spam source for power-cl1cks.com,
listed in July), followed by
[[SBL59518 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL59518]]
with 79 rejections (a /24 also for 'power-cl1cks2.com'), and
[[SBL58952 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL58952]]
with 33 rejections (a /27 from September, 'spwu10.net'). I've seen
other spwu10.net machines crop up from 74.223.112.0/22, so I think
it and them are going into our overall blocklists.

(A modest suggestion to people: do not give your domains sequence
numbers. It does not really look good.)

Eight of the top 30 most rejected IP addresses were rejected 100 times
or more this week; the leader is 200.186.145.197 (1,259 rejections),
followed by 200.177.119.109 (388 rejections). Oddly enough, *none* of
the top 30 appear to be showing up on any of the popular DNS blocklists
this week; this seems implausible, which means that something is broken
somewhere.

(Locally, 16 were rejected for being dynamic IP addresses, 11 for having
bad or missing reverse DNS, 2 for being qsnews.net, and 1 for being
qsc.de.)

This week, Hotmail had:

* no messages accepted.
* no messages rejected because they came from non-Hotmail email
  addresses.
* 49 messages sent to our spamtraps.
* 2 messages refused because their sender addresses had already hit
  our spamtraps.
* 4 messages refused due to their origin IP address (one in the CBL,
  one from Nigeria, one from Ghana, and one from saix.net aka
  telkom.co.za).

And the final numbers:

| what | # this week | (distinct IPs) | # last week | (distinct IPs)
| Bad _HELO_s | 6739 | 363 | 1751 | 270
| Bad bounces | 669 | 553 | 114 | 78

The leading source of bad _HELO_s this week was 208.223.173.169
(243 attempts), followed by 202.155.205.242 (123 attempts), and
216.157.197.66 (91 attempts). There are a lot of people with relatively
high counts (above 50 attempts), which is not really surprising given
the stats.

Bad bounces were sent to 650 different bad usernames this week, with the
most popular one being ((Jayce_Pirani)) with 5 attempts, followed by
_HoratioClemens_ with 4 attempts and _MaxwellFocke_ and [[last week]]'s
winner _SHOUGEE_ with 3 attempts each. There was one attempt to the
all-number bad username _405_ and one to _"Gresham,"_ (sic), and some
to ex-users, but with 650 of them I'm not going to study them carefully
enough to draw real conclusions.