Irony in a Referer spammer
Irony is a
Referer spammer spamming my entry
on how affiliate marketing is undead for
something that sure looks like an affiliate marketing scheme. More irony
is that this is the first Referer spammer in a donkey's age; all the old
ones seem to have given up months ago.
This just goes to show that I can find amusing things from reading my server logs.
An analysis of the spammer
The spammer came from 184.108.40.206, an unremarkable DataStream Malta IP address that appears to have been doing other Referer spam (based on a Google search). It was pushing the website for imcmake-money-fast-online.com, which is registered to a 'Karl Sultana' of Zebbug in Malta (who has very interesting results in a Google search I will let you do yourself).
His website is just a frame around a marketingtips.com URL that has an embedded number in it, a typical sign of an affiliate scheme in action; the number carries through several pages into what looks like 'order something' URLs. (I lack the interest to crawl extensively.)
Sultana's website is at 220.127.116.11, hosted by pair Networks.
marketingtips.com is registered to 'Internet Marketing Center' of 1123 Fir Ave, Blaine, WA, aka imcinternet.com, which hosts its websites out of 18.104.22.168/26 (under FiberCloud of Bellingham WA) and has other tendrils in 22.214.171.124/27 (under Data Fortress Group of Vancouver).
None of the websites et al are in any DNS blocklists I could spot.
Weekly spam summary on February 18th, 2006
- no messages accepted.
- 22 messages rejected because they came from non-Hotmail email addresses.
- 54 messages sent to our spamtraps.
- 13 messages refused because their sender addresses had already hit our spamtraps.
- 5 messages refused due to their origin IP address (one in the SBL, one in the CBL, one from Nigeria, one from Gilat-Satcom, and one from SAIX).
All of these are down from last week, although not always by huge amounts. Hopefully this will continue, although I note that for all the low numbers Hotmail is still batting 94 to nothing this week. And insisting that people jump through hoops to report Hotmail spam.
The basic stats:
- got 13,656 messages from 222 different IP addresses.
- handled 25,483 sessions from 2,261 different IP addresses.
- received 156,390 connections from at least 50,712 different IP addresses.
- a highwater of 27 connections being checked at once.
Everything is slightly down from last week except for the number of different IP addresses doing SMTP sessions. The per day table is slightly interesting this week:
Someday, someone is going to do a fascinating article on what days spammers prefer for their spam runs, and why. Have the spammers done 'market research' on what days get the best results, for example?
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 126.96.36.199 5785 347K 188.8.131.52/24 4821 237K 184.108.40.206/10 3479 181K 220.127.116.11/12 2635 138K 18.104.22.168/12 2409 139K 22.214.171.124/11 2234 114K 126.96.36.199 2178 111K 188.8.131.52 2097 101K 184.108.40.206/13 2073 105K 220.127.116.11/11 2004 102K
This is a slow week for individual IP addresses; only three made
it into the top ten. 18.104.22.168 reappears from last October, because it is still listed in SPEWS.
22.214.171.124 and 126.96.36.199 both got blocked for lots of unresolvable
The 188.8.131.52/12 area belongs to Deutsche Telekom and made the list last December; I've seen nothing since then that makes me reconsider our permanent blocks. All the other netblocks listed belong to various Chinese networks.
Connection time rejection stats:
26730 total 13007 dynamic IP 8886 bad or no reverse DNS 3056 class bl-cbl 488 class bl-spews 319 class bl-ordb 232 class bl-dsbl 125 class bl-sbl 53 class bl-sdul 48 class bl-njabl 4 class bl-opm
Somewhat down from last week, and much more evenly distributed
among different IP addresses; only 4 IP addresses were refused
100 times or more, and the winner (184.108.40.206, a Taiwanese IP
address blocked for bad reverse DNS) only managed 135 times. Six of
the 30 most refused IPs are in the CBL
and five are currently in
bl.spamcop.net; none are in the SBL this week.
Interestingly, exactly 100 refused IPs are in the SBL at the moment, in 62 different SBL listings. Here's the top hits:
|# of different IPs||SBL listing||listed:||who/what|
|8||SBL22806||19-Feb-2006||de.clara.net advance fee fraud|
|7||SBL37830||12-Feb-2006||Philippines based spammer hosting|
|5||SBL37409||07-Feb-2006||Japanese spam source|
|4||SBL35873||16-Dec-2005||mailyes.net, Korean spam source (under bora.net)|
|4||SBL19307||28-Aug-2005||a /16 listing for a Chinese spam injection network|
|3||SBL37888||14-Feb-2006||Korean spam sources (dacom.net)|
|3||SBL37860||13-Feb-2006||'Clear Reach Networks' spam network (SAVVIS)|
|3||SBL37388||28-Jan-2006||Ephedra spammers, 'Plumtree Solutions' (UUNet)|
I find it heartening that none of these are ROKSO-listed spammers, and most of the listings are less than a month old (and that the oldest only dates to August 2005). Unfortunately, SpamHaus doesn't make their listings really easily queryable, so I can't report what the oldest SBL listing to hit us this week is.
|what||# this week||(distinct IPs)||# last week||(distinct IPs)|
Spammers are clearly still forging us and there's a lot of quite active
mail servers with unresolvable
HELO names, although only nine tried
100 times or more. The standout winner for 'most backscatter' goes
to 220.127.116.11 (349 hits), followed by 18.104.22.168 (199 hits) and
22.214.171.124 (111 hits). Backscatter is one of those things that makes me
grind my teeth, given that we're forged so often by spammers.