Weekly spam summary on August 20th, 2005
The overall SMTP connection rate has dropped from last week, down to 140,000 SMTP connections from at least 36,000 different IP addresses. The SMTP frontend hit a high-water of 16 simultaneous connections, I believe relatively early in the week, so I suspect we saw the spillover from last week's traffic burst last Sunday and maybe Monday and then a normal rest of the week.
Kernel level IP rejections:
Host/Mask Packets Bytes 188.8.131.52 10721 515K 184.108.40.206/24 7974 434K 220.127.116.11 7469 359K 18.104.22.168/10 6122 297K 22.214.171.124 6086 292K 126.96.36.199 5587 268K 188.8.131.52 5136 261K 184.108.40.206 3812 229K 220.127.116.11 3807 194K 18.104.22.168 3462 166K
This seems to have been a slow week for Chinese networks (our usual source of rejections from large netblocks); only one made it into the top ten. The individual hosts listed are the usual grab-bag assortment of dynamically added places, with some faces reappearing from last week (22.214.171.124 remaining listed in dnsbl.njabl.org).
Connection-time rejections run:
23940 total 11281 dynamic IP 8525 bad or no reverse DNS 1699 class bl-cbl 532 class bl-spews 434 class bl-ordb 424 class bl-dsbl 377 class bl-sbl 114 class bl-njabl 110 class bl-sdul 2 class bl-opm
(Embarrassingly, I only got around to automating this report via a script this week. When will I learn to take my own advice?)
No single IP address was a really big source of connection-time rejections.
HELO greetings are well down from last week but are up somewhat
over the week before that, which could be more signs of a
Sunday/Monday spillover effect.
Mutating Referer Spammers
Last week's Referer spammers have changed what they're shilling for and mutated their methods. Currently they seem to be shilling for online poker, although instead of clickthrough payments they seem to be angling for 'affiliate' payouts when they get people to sign up at places like pacificpoker.com, fairpoker.com, partypoker.com, and 888.com (which seem unrelated to each other).
All of the websites being Referer-spammed for are still at the IP address 126.96.36.199. Domains they've used so far include webimagineer.net, blevensdamman.com, computerxchange.com, hebei-gelatin.com, casino-solution.com, upthekazoo.com, and homesbysellers.net. Usually (but not always) they use subpages. (As with last week's domains, these also appear in blog comment spam.)
As last week, they continue to hit only the spam category blog page. However, two other bits have changed:
- they've switched over to URL-encoding the '
~' in the blog's URL; since they're the only visitors to do this, it makes their requests quite distinctive.
- they are now making the requests from XBL-listed IP addresses (and from some that are on other DNS blocklists as compromised hosts).
Using zombies and other compromised machines slides them well over the line into black-hat territory and criminality. I suspect that anet.net (aka 'ANET Solutions Inc'), their web host, will continue to not do very much to deal with their spammers.
Given their current obliviousness to the lack of success that their attempts are having here, I'm not sure that making DWiki return error messages on their attempts would have any effect. Their software is probably pretty 'fire and forget and ignore'.
Updated Aug 23rd: they've now stopped entity-encoding the '
the blog's URL. Probably a software setting got changed again.
Some DNS blocklist stats on web requests
Over the past 28 days and change, we've had web requests from about 9,250 different IP addresses. Of those, only 250 IP addresses are currently listed in the XBL, and only 32 IP addresses were in the SBL. The leading SBL listing is SBL26426, which seems to be SAIX's web-cache proxies, listed for being a 'Nigerian 419' source; many of the other SBL listings are for the same thing.
Overall, I doubt I'm going to be using any DNS blocklist in front of our web server any time soon.