Wandering Thoughts archives

2005-08-21

Weekly spam summary on August 20th, 2005

The overall SMTP connection rate has dropped from last week, down to 140,000 SMTP connections from at least 36,000 different IP addresses. The SMTP frontend hit a high-water of 16 simultaneous connections, I believe relatively early in the week, so I suspect we saw the spillover from last week's traffic burst last Sunday and maybe Monday and then a normal rest of the week.

Kernel level IP rejections:

Host/Mask           Packets   Bytes
207.235.38.19         10721    515K
212.216.176.0/24       7974    434K
203.98.175.42          7469    359K
61.128.0.0/10          6122    297K
192.35.251.3           6086    292K
170.206.225.64         5587    268K
68.164.24.147          5136    261K
80.55.43.26            3812    229K
82.235.46.17           3807    194K
216.7.201.43           3462    166K

This seems to have been a slow week for Chinese networks (our usual source of rejections from large netblocks); only one made it into the top ten. The individual hosts listed are the usual grab-bag assortment of dynamically added places, with some faces reappearing from last week (170.206.225.64 remaining listed in dnsbl.njabl.org).

Connection-time rejections run:

  23940 total
  11281 dynamic IP
   8525 bad or no reverse DNS
   1699 class bl-cbl
    532 class bl-spews
    434 class bl-ordb
    424 class bl-dsbl
    377 class bl-sbl
    114 class bl-njabl
    110 class bl-sdul
      2 class bl-opm

(Embarrassingly, I only got around to automating this report via a script this week. When will I learn to take my own advice?)

No single IP address was a really big source of connection-time rejections.

Bad HELO greetings are well down from last week but are up somewhat over the week before that, which could be more signs of a Sunday/Monday spillover effect.

spam/SpamSummary-2005-08-20 written at 01:37:24; Add Comment

Mutating Referer Spammers

Last week's Referer spammers have changed what they're shilling for and mutated their methods. Currently they seem to be shilling for online poker, although instead of clickthrough payments they seem to be angling for 'affiliate' payouts when they get people to sign up at places like pacificpoker.com, fairpoker.com, partypoker.com, and 888.com (which seem unrelated to each other).

All of the websites being Referer-spammed for are still at the IP address 64.4.195.62. Domains they've used so far include webimagineer.net, blevensdamman.com, computerxchange.com, hebei-gelatin.com, casino-solution.com, upthekazoo.com, and homesbysellers.net. Usually (but not always) they use subpages. (As with last week's domains, these also appear in blog comment spam.)

As last week, they continue to hit only the spam category blog page. However, two other bits have changed:

  • they've switched over to URL-encoding the '~' in the blog's URL; since they're the only visitors to do this, it makes their requests quite distinctive.
  • they are now making the requests from XBL-listed IP addresses (and from some that are on other DNS blocklists as compromised hosts).

Using zombies and other compromised machines slides them well over the line into black-hat territory and criminality. I suspect that anet.net (aka 'ANET Solutions Inc'), their web host, will continue to not do very much to deal with their spammers.

Given their current obliviousness to the lack of success that their attempts are having here, I'm not sure that making DWiki return error messages on their attempts would have any effect. Their software is probably pretty 'fire and forget and ignore'.

Updated Aug 23rd: they've now stopped entity-encoding the '~' in the blog's URL. Probably a software setting got changed again.

Some DNS blocklist stats on web requests

Over the past 28 days and change, we've had web requests from about 9,250 different IP addresses. Of those, only 250 IP addresses are currently listed in the XBL, and only 32 IP addresses were in the SBL. The leading SBL listing is SBL26426, which seems to be SAIX's web-cache proxies, listed for being a 'Nigerian 419' source; many of the other SBL listings are for the same thing.

Overall, I doubt I'm going to be using any DNS blocklist in front of our web server any time soon.

spam/MutatingRefererSpammers written at 01:08:44; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.