2006-01-08
Weekly spam summary on January 7th, 2006
It's time for the first weekly spam summary of the new year, so let's see what sort of a start 2006 is off to.
This week we received 14,639 email messages from 198 different IP addresses. Our SMTP server handled 30,023 sessions from 3,122 different IP addresses. Message volume is up some since last week (not surprising with people coming back to work) and session volume is holding steady.
Connection volume is down from last week: 201,000 connections from at least 58,500 different IP addresses, although with a highwater of 20 connections being checked at once. By day we get:
| Day | Connections | different IPs |
| Sunday | 28,000 | +8,400 |
| Monday | 32,000 | +11,060 |
| Tuesday | 30,650 | +10,530 |
| Wednesday | 29,480 | +7,860 |
| Thursday | 35,980 | +7,530 |
| Friday | 22,540 | +6,990 |
| Saturday | 22,190 | +6,130 |
I have no explanation for the day to day numbers, although we do have the traditional Thursday jump. It's wierd to see the different IP address count spike so sharply without a connection spike to go with it.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 202.157.144.3 17983 1079K 168.215.140.35 12414 745K 68.124.27.170 10004 509K 213.4.149.69 9387 411K 63.167.16.2 8249 396K 62.34.238.215 6840 356K 67.187.49.104 6579 335K 66.59.250.33 6449 297K 218.102.53.0/24 5956 275K 207.202.183.104 5454 251K
- only 213.4.149.69 reappears from before, still without a good IP to name mapping.
- 202.157.144.3 is also without good IP to name mapping.
- 168.215.140.35, 62.34.238.215, and 67.187.49.104 are all considered 'dialup' dynamic address machines.
- 68.124.27.170 is a PacBell DSL machine that kept trying to send us mail from an address that had hit our spamtraps.
- 63.167.16.2, 66.59.250.33, and 207.202.183.104 had unresolvable
HELOnames.
Connection time rejection stats:
36555 total
18969 dynamic IP
10916 bad or no reverse DNS
4114 class bl-cbl
528 class bl-spews
467 class bl-sbl
310 class bl-dsbl
272 class bl-sdul
52 class bl-ordb
30 class bl-njabl
14 class bl-opm
Given the overall volume drop from last week, I think that these stats are not particularly surprising. There are no really aggressive single IP addresses, and the CBL doesn't stand out as much as it did last week; only 7 of the top 30 most connecting IP addresses are on it.
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
8120 | 406 | 12700 | 578 |
| Bad bounces | 4349 | 1629 | 4196 | 1123 |
It looks like we're still getting forged as the MAIL FROM origin by
spammers.
The Hotmail spammers seem to have ended their holidays too, judging from the Hotmail stats for this week:
- 2 emails accepted, one of which was a backscatter bounce.
- 275 messages rejected because they came from non-Hotmail email addresses.
- 62 messages sent to our spamtraps.
- 4 messages refused because their sender addresses had already hit our spamtraps.
- 5 messages refused due to their origin IP address (four for being in the SBL, one for being in the CBL).
This is broadly consistent with the volume from the week before last. So much for any hope that Hotmail was doing something to deal with their spam problem over the Christmas to New Years break.
(In fact they were doing something last week: they were making it more difficult to report spam to Hotmail. Now you have to use report_spam@hotmail.com instead of abuse@hotmail.com if you want them to take any action, or so their autoreply now says.)
Towards assessing SORBS' false positive rate
I was somewhat surprised to read in Chris Linfoot's blog that
he uses SORBS,
because I've always considered the top-level dnsbl.sorbs.net
blocklist a little too aggressive. (Considering that I use SPEWS,
this may be a little bit of throwing rocks in glass houses.)
(Update: Chris Linfoot does say that you need a good whitelist to use SORBS.)
Out of curiosity I decided to get a very broad sense of the potential
'false positive' rate for using dnsbl.sorbs.net as a whole by seeing
how many IP addresses that had successfully delivered email to us
over the past 28+ days were listed in SORBS.
Over this time period, 425 different IP addresses delivered one or
more messages. 27 of them are listed in dnsbl.sorbs.net; since some
spam mail gets through our blocks, these aren't necessarily all false
positives. Let's take a look at who's included in the roughly 6% of
successful mail deliveries that SORBS would have blocked:
- smtp1.newsguy.com
- mm-retail-out-1102.amazon.com
- mx3.friendster.com
- n10a.bullet.dcn.yahoo.com and several bullet.scd.yahoo.com hosts
- wproxy.gmail.com
- a number of Hotmail machines. Yes, they emit lots of spam, but we do get legitimate email from them.
- smtpout0191.sc1.cp.net
- two mail.united.com machines
The overall dnsbl.sorbs.net list is a conglomerate of a number of different sub-lists. On checking, all 27 IP addresses were from the 'Spam DB' list, assembled from things that have hit SORBS spamtraps. Most of them are not listed in any other DNS blocklist (some are in blacklist.spambag.org and/or block.blars.org, both of which are very aggressive, a few were in bl.spamcop.net, and one was also in dynamic.dnsbl.rangers.eu.org).
I'm not too surprised by this result, because I consider all automated 'hit a spamtrap and get listed' blocklists to be too dangerous (we don't even do this with our spamtraps locally; for most domains, they only cause email to get deferred).
(While we use bl.spamcop.net, we use it to delay email, not to reject it. The logic behind this is for another entry.)
Needless to say, this is a little too aggressive for us to use here. While we could exempt the important domains we've seen today, there's no certainty that some other important domain we get email from won't briefly have spammer who hits a SORBS spamtrap and then blam. (Given some of the important local ISPs, I'm actually pretty sure that this will happen at some point.)