Wandering Thoughts archives

2006-02-19

IronicRefererSpammer

Irony in a Referer spammer

Irony is a Referer spammer spamming my entry on how affiliate marketing is undead for something that sure looks like an affiliate marketing scheme. More irony is that this is the first Referer spammer in a donkey's age; all the old ones seem to have given up months ago.

This just goes to show that I can find amusing things from reading my server logs.

An analysis of the spammer

The spammer came from 217.15.96.18, an unremarkable DataStream Malta IP address that appears to have been doing other Referer spam (based on a Google search). It was pushing the website for imcmake-money-fast-online.com, which is registered to a 'Karl Sultana' of Zebbug in Malta (who has very interesting results in a Google search I will let you do yourself).

His website is just a frame around a marketingtips.com URL that has an embedded number in it, a typical sign of an affiliate scheme in action; the number carries through several pages into what looks like 'order something' URLs. (I lack the interest to crawl extensively.)

Sultana's website is at 209.197.103.186, hosted by pair Networks.

marketingtips.com is registered to 'Internet Marketing Center' of 1123 Fir Ave, Blaine, WA, aka imcinternet.com, which hosts its websites out of 216.57.212.192/26 (under FiberCloud of Bellingham WA) and has other tendrils in 65.110.16.0/27 (under Data Fortress Group of Vancouver).

None of the websites et al are in any DNS blocklists I could spot.

(9 comments.)
spam/IronicRefererSpammer written at 05:20:00; Add Comment

SpamSummary-2006-02-18

Weekly spam summary on February 18th, 2006

Now that I've automated almost all of the Hotmail spam report, of course it turns out we've had a quiet week, even more so than last week:

  • no messages accepted.
  • 22 messages rejected because they came from non-Hotmail email addresses.
  • 54 messages sent to our spamtraps.
  • 13 messages refused because their sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (one in the SBL, one in the CBL, one from Nigeria, one from Gilat-Satcom, and one from SAIX).

All of these are down from last week, although not always by huge amounts. Hopefully this will continue, although I note that for all the low numbers Hotmail is still batting 94 to nothing this week. And insisting that people jump through hoops to report Hotmail spam.

The basic stats:

  • got 13,656 messages from 222 different IP addresses.
  • handled 25,483 sessions from 2,261 different IP addresses.
  • received 156,390 connections from at least 50,712 different IP addresses.
  • a highwater of 27 connections being checked at once.

Everything is slightly down from last week except for the number of different IP addresses doing SMTP sessions. The per day table is slightly interesting this week:

Day Connections different IPs
Sunday 23,590 +7,935
Monday 22,349 +8,156
Tuesday 24,991 +7,396
Wednesday 26,030 +7,478
Thursday 22,129 +7,239
Friday 21,328 +7,187
Saturday 15,973 +5,321

Someday, someone is going to do a fascinating article on what days spammers prefer for their spam runs, and why. Have the spammers done 'market research' on what days get the best results, for example?

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
69.90.73.20            5785    347K
212.216.176.0/24       4821    237K
61.128.0.0/10          3479    181K
219.128.0.0/12         2635    138K
80.128.0.0/12          2409    139K
220.160.0.0/11         2234    114K
69.223.241.2           2178    111K
24.147.105.129         2097    101K
221.216.0.0/13         2073    105K
218.0.0.0/11           2004    102K

This is a slow week for individual IP addresses; only three made it into the top ten. 24.147.105.129 reappears from last October, because it is still listed in SPEWS. 69.90.73.20 and 69.223.241.2 both got blocked for lots of unresolvable HELOs.

The 80.128.0.0/12 area belongs to Deutsche Telekom and made the list last December; I've seen nothing since then that makes me reconsider our permanent blocks. All the other netblocks listed belong to various Chinese networks.

Connection time rejection stats:

  26730 total
  13007 dynamic IP
   8886 bad or no reverse DNS
   3056 class bl-cbl
    488 class bl-spews
    319 class bl-ordb
    232 class bl-dsbl
    125 class bl-sbl
     53 class bl-sdul
     48 class bl-njabl
      4 class bl-opm

Somewhat down from last week, and much more evenly distributed among different IP addresses; only 4 IP addresses were refused 100 times or more, and the winner (218.210.168.102, a Taiwanese IP address blocked for bad reverse DNS) only managed 135 times. Six of the 30 most refused IPs are in the CBL and five are currently in bl.spamcop.net; none are in the SBL this week.

Interestingly, exactly 100 refused IPs are in the SBL at the moment, in 62 different SBL listings. Here's the top hits:

# of different IPs SBL listing listed: who/what
8 SBL22806 19-Feb-2006 de.clara.net advance fee fraud
7 SBL37830 12-Feb-2006 Philippines based spammer hosting
7 SBL35573 09-Dec-2005 CNCGROUP Beijing
5 SBL37409 07-Feb-2006 Japanese spam source
4 SBL35873 16-Dec-2005 mailyes.net, Korean spam source (under bora.net)
4 SBL19307 28-Aug-2005 a /16 listing for a Chinese spam injection network
3 SBL37888 14-Feb-2006 Korean spam sources (dacom.net)
3 SBL37860 13-Feb-2006 'Clear Reach Networks' spam network (SAVVIS)
3 SBL37388 28-Jan-2006 Ephedra spammers, 'Plumtree Solutions' (UUNet)

I find it heartening that none of these are ROKSO-listed spammers, and most of the listings are less than a month old (and that the oldest only dates to August 2005). Unfortunately, SpamHaus doesn't make their listings really easily queryable, so I can't report what the oldest SBL listing to hit us this week is.

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 6167 364 8423 248
Bad bounces 1994 1031 815 558

Spammers are clearly still forging us and there's a lot of quite active mail servers with unresolvable HELO names, although only nine tried 100 times or more. The standout winner for 'most backscatter' goes to 66.83.181.196 (349 hits), followed by 69.37.62.196 (199 hits) and 67.107.40.2 (111 hits). Backscatter is one of those things that makes me grind my teeth, given that we're forged so often by spammers.

spam/SpamSummary-2006-02-18 written at 02:07:02; Add Comment

(Previous day | Next day)
By day for February 2006: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28; before February; after February.

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.