Monthy pfrtg reports to a Class C DarkNet

What follows is the output of pfrtg monthly reports. The particular reports chosen are

The top 100 entries for
Traffic sources that sent packets over a month with at least a week seperation between some packets
Sent to my Class C, which was first routed in 200501, and has yet to be used for anything legitimate
There is some port 25/tcp and 53/udp traffic that may have been caused by me, but the rest is unsolicited, as well as some traffic to my fixed IP address, included in this, but very little. My newer filters should ignore this, but these reports were already run.

Take a careful look at the first entry in July 2005

The host 61.152.158.105
Sent packets to my Class C between the 3rd and the 23 inclusive
To 256 different address (yes, they send to the .0 address!)
Sending messenger spam (port 1026 and 1027, I've got the messages recorded too)
Sending a total of 237,986 packets and
a total of 107,431,643 bytes. Yes, that is 100 Megs of traffic!

 count:          source          11111111112222222222333  bytes  dstn  some ports
 -----:          ------ 12345678901234567890123456789012 ------  ----  -----
237986: 61.152.158.105  ..MMMMMMMMMMMMMMMMMMMMM..........107431643 256 N 2:  1026 1027

They also sent some more messenger spam on the 9th and 10th of August.

 count:          source          11111111112222222222333  bytes  dstn  some ports
 -----:          ------ 12345678901234567890123456789012 ------  ----  -----
 21616: 61.152.158.105  .........MM......................8192464 256 N 2:  1026 1027

To take the monthly report, I concatinate all the daily log files (I keep the logs by day on my system) using tcpslice, being careful to make sure that the files are concatinated in the correct cronological order. That means /var/log/pflog.30.gz, /var/log/pflog29.gz, etc...

And finally, the logs...
200501 200502 200503 200504 200505 200506 200507 200508a

Here is another set of logs, this time, the source port is either 20,21,22 or 80. There had never been an outgoing connection to port 22 or 80 or any other port from this DarkNet.
200501 200502 200503 200504 200505 200506 200507 200508a

If you are interested in my DarkNet tcpdump/pcap tracefiles, they have snap of OpenBSD default 115 bytes, and are available to anyone with a good reason. openbsd . at . otterhole.ca