Wandering Thoughts archives

2005-09-11

Weekly spam summary on September 10th, 2005

Overall connections are up from last week: 239,000 SMTP connections from 39,000 different IP addresses. The SMTP frontend's highwater mark is up again, hitting 29 simultaneous connections.

Top 10 kernel level SMTP rejections:

Host/Mask           Packets   Bytes
213.4.149.11          13913    638K
192.35.251.3          13025    625K
212.216.176.0/24       8955    448K
208.136.201.43         7584    364K
202.96.0.0/12          6232    313K
65.90.203.102          5927    356K
218.102.53.0/24        5530    256K
213.29.7.174           5461    328K
67.32.131.231          5279    253K
212.44.241.24          5153    309K

65.90.203.102 turns out to be a mistake, due to an old listing for Broadwing dialup/dynamic address space that is clearly no longer valid. We probably have other now-invalid rejection rules, but they're hard to find and I don't have enough time and energy to systematically recheck things.

(Much of our dynamic IP address blocking is based on hostname patterns, which is hopefully less prone to rotting over time.)

Of the rest:

  • 213.4.149.11, mx.terra.es, is a frequent top-10 listing; it was blocked for its usual rapid spew of invalid HELO names.
  • 192.35.251.3, netfence.spss.com, is also a repeat offender for bad HELO names.
  • 218.102.53.0/24 is Netvigator's mail servers, which we haven't been willing to talk to for years anyways.
  • 213.29.7.174, mail1002.centrum.cz, appeared before in IPReject-2005-06-18. They're still in dnsbl.njabl.org, and checking their listing I see they've been there since May 26th, 2005, due to spewing out advance fee fraud spam. We have had all centrum.cz mail machines banned from our mailer for some time for the same reason.

Connection-time rejection stats:

  27106 total
  12298 dynamic IP
   8595 bad or no reverse DNS
   1783 class bl-cbl
   1563 class bl-sbl
   1068 class bl-spews
    581 class bl-dsbl
    300 class bl-ordb
    188 class bl-njabl
     69 class bl-sdul
     11 class bl-opm

The big jump in SBL hits is due to 1,131 hits from SBL20671, the ROKSO listing for 72.11.128.0/19, 'OC3 Networks - Ilan Mishan'. In turn this was all due to 72.11.156.0/24, a subnet that is full of IP addresses with reverse DNS to hostnames of the form '{crv,crve}.????.com'. The four characters in the domain name are usually letters, but I've seen some use of numbers and '-'.

To break up the monotony, the spammer threw in marketing-miracles.com, greatdealsforme.com (a more honest spammer domain name than usual), mylinemarketing.com, and marketingwarpspeed.com. They, and all the funny domains, all seem to be registered to the same organization, allegedly

Elbicho Ltd
Limited Elbicho
26 fremantle Court
Harbour Views, Gibraltar n/a
GI
+350.3500114473433
124656@whois.gkg.net

(Sometimes 'Elbicho Limited'.)

I can only hope that the spammer is paying real money for that parade of domain names. (Probably not, though. Although they seem to have been registered back in May, so hopefully the registrar will have gotten some actual money from the spammer.)

In SPEWS news, mail.uk.tiscali.com keeps showing up (although not high in the league tables). This is probably because they are a prolific advance fee fraud spam source, although they may protest otherwise (there was a recent thread on news.admin.net-abuse.email claiming reform, which various people laughed at).

The usual eyeball scan shows bad HELOs and bounces to nonexistent local addresses down somewhat over last week.

And that concludes tonight's presentation of The Week In Spam.

spam/SpamSummary-2005-09-10 written at 02:14:26; Add Comment

Comment spam writ large

This Friday I discovered a neglected web-based bulletin board on one of our web servers that was open for posting. Unfortunately, comment spammers had discovered it months before I did and had been gleefully exploiting it since then. The result gives me an unpleasant, full throttle view into the world of comment spammers.

The raw numbers are appalling: in the time they were active, the comment spammers posted at least 233,799 spam comments (fortunately, the web board only stored the last 100,000 or so comments, a limitation that I suspect the authors never expected to be hit). At a guess, they were probably doing this for at least six months and possibly more.

(The web bulletin board itself appears to have been last used on August 23rd 2003. Google searches suggest that the spamming may have started as early as October 16th 2003. Unfortunately the searches also show that Google did indeed index the spammed comments.)

Over the past 14 full weeks that I have logs for (from May 29th), they averaged 1160 comment spams a day, which is not quite one comment spam a minute. However, their activity was actually quite bursty, with the peak week seeing 61,918 comments (8,845 a day, more than 6 a minute).

(The rest of this is about the sources of the comment spam, because that information is a lot more accessible and easier to process. Perhaps later I'll try to analyze the web sites being spammed for and who hosts them.)

2,222 different IP addresses were involved in posting the comments, with a highly uneven distribution. Here is the top 10 list of spammer shame:

  Hits IP address/netblock
 30117 209.200.11.96/28
  4130 193.251.169.170
  2364 203.162.3.77
  1321 80.237.140.233
  1022 203.162.3.78
   899 168.143.113.0/24
   773 207.248.240.119
   749 198.65.161.88
   686 195.229.241.182
   618 200.201.178.58

209.200.11.96/28 is part of webair.com/webair.net's IP allocation, and according to them it belongs to one 'Kevin Moll' of Watsontown PA, aka powerstorm.net. This source has stayed active through September 9th, but figures no more prominently than usual in the big week.

168.143.113.0/24 is anonymizer.com, in part of Verio's netspace. Clearly they're being abused by comment spammers. I wouldn't be surprised if any source of anonymous web access that allows POST commands is being abused that way, including the EFF-sponsored Tor network; spammers just don't care what effects their actions have on other users of the services they're exploiting.

42% of the different IP addresses (935 out of 2222) are currently listed in the XBL. Since XBL listings usually expire in significantly less than 14 weeks, this is particularly impressive. They accounted for 48% of the hits remaining after you exclude the almost 27% that come from powerstorm.net and anonymizer.com.

Top problem sources by ASN, after removing powerstorm.net and anonymizer.com:

# of hits ASN (owner)
4370 AS5511 France Telecom
4300 AS33774 Telecom Algeria
3842 AS7643 Vietnam Posts & Telecoms
3409 AS4134 CHINANET-BACKBONE
3031 AS4837 CNCGROUP China169 Backbone
2331 AS3352 Telefonica (Spain)
2070 AS11172 Alestra (Mexico)
1929 AS8895 Riyadh (Saudia Arabia)
1872 AS3462 Hinet (Taiwan)
1748 AS1659 Taiwan Academic Network
1460 AS5384 Emirates Internet (UAE)

(Verio almost makes the list, but with anonymizer.com removed they only have 1,154 hits. Webair has only 3 hits outside of powerstorm.net.)

Many of these networks can be described as 'the usual suspects', as they will look quite familiar to readers of SpamByASN and XBLStats-2005-08-06.

Only 11 different IP addresses were on the SBL, so I will just put them in a table:

# of hits SBL listing comments
567 SBL22883 listed for related malfeasance
405 SBL26426 SAIX web caches
217 SBL31555 rima-tde.net web cache
25 SBL24042
16 SBL25866
5 SBL17449
4 SBL30014 A ROKSO listed spammer
4 SBL16836
2 SBL23645
1 SBL21707

Looking at the SBL listings, it looks like machines that are ultimate sources of advance fee fraud spam are also going to source other problems.

Sidebar: the specific powerstorm.net IPs:

For Google's sake, the specific powerstorm.net IPs involved are: 209.200.11.100, 209.200.11.101, 209.200.11.102, 209.200.11.103, 209.200.11.104, 209.200.11.105, 209.200.11.106, 209.200.11.107, 209.200.11.108, and 209.200.11.110.

I don't know why 209.200.11.109 is missing. 209.200.11.110 made only one comment spam posting, on July 14th; the others are fairly evenly active. (And they stayed active; the most recent hit was September 9th.)

spam/CommentSpamWritLarge written at 01:24:23; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.