Wandering Thoughts archives


Irony in a Referer spammer

Irony is a Referer spammer spamming my entry on how affiliate marketing is undead for something that sure looks like an affiliate marketing scheme. More irony is that this is the first Referer spammer in a donkey's age; all the old ones seem to have given up months ago.

This just goes to show that I can find amusing things from reading my server logs.

An analysis of the spammer

The spammer came from, an unremarkable DataStream Malta IP address that appears to have been doing other Referer spam (based on a Google search). It was pushing the website for imcmake-money-fast-online.com, which is registered to a 'Karl Sultana' of Zebbug in Malta (who has very interesting results in a Google search I will let you do yourself).

His website is just a frame around a marketingtips.com URL that has an embedded number in it, a typical sign of an affiliate scheme in action; the number carries through several pages into what looks like 'order something' URLs. (I lack the interest to crawl extensively.)

Sultana's website is at, hosted by pair Networks.

marketingtips.com is registered to 'Internet Marketing Center' of 1123 Fir Ave, Blaine, WA, aka imcinternet.com, which hosts its websites out of (under FiberCloud of Bellingham WA) and has other tendrils in (under Data Fortress Group of Vancouver).

None of the websites et al are in any DNS blocklists I could spot.

spam/IronicRefererSpammer written at 05:20:00; Add Comment

Weekly spam summary on February 18th, 2006

Now that I've automated almost all of the Hotmail spam report, of course it turns out we've had a quiet week, even more so than last week:

  • no messages accepted.
  • 22 messages rejected because they came from non-Hotmail email addresses.
  • 54 messages sent to our spamtraps.
  • 13 messages refused because their sender addresses had already hit our spamtraps.
  • 5 messages refused due to their origin IP address (one in the SBL, one in the CBL, one from Nigeria, one from Gilat-Satcom, and one from SAIX).

All of these are down from last week, although not always by huge amounts. Hopefully this will continue, although I note that for all the low numbers Hotmail is still batting 94 to nothing this week. And insisting that people jump through hoops to report Hotmail spam.

The basic stats:

  • got 13,656 messages from 222 different IP addresses.
  • handled 25,483 sessions from 2,261 different IP addresses.
  • received 156,390 connections from at least 50,712 different IP addresses.
  • a highwater of 27 connections being checked at once.

Everything is slightly down from last week except for the number of different IP addresses doing SMTP sessions. The per day table is slightly interesting this week:

Day Connections different IPs
Sunday 23,590 +7,935
Monday 22,349 +8,156
Tuesday 24,991 +7,396
Wednesday 26,030 +7,478
Thursday 22,129 +7,239
Friday 21,328 +7,187
Saturday 15,973 +5,321

Someday, someone is going to do a fascinating article on what days spammers prefer for their spam runs, and why. Have the spammers done 'market research' on what days get the best results, for example?

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes            5785    347K       4821    237K          3479    181K         2635    138K          2409    139K         2234    114K           2178    111K         2097    101K         2073    105K           2004    102K

This is a slow week for individual IP addresses; only three made it into the top ten. reappears from last October, because it is still listed in SPEWS. and both got blocked for lots of unresolvable HELOs.

The area belongs to Deutsche Telekom and made the list last December; I've seen nothing since then that makes me reconsider our permanent blocks. All the other netblocks listed belong to various Chinese networks.

Connection time rejection stats:

  26730 total
  13007 dynamic IP
   8886 bad or no reverse DNS
   3056 class bl-cbl
    488 class bl-spews
    319 class bl-ordb
    232 class bl-dsbl
    125 class bl-sbl
     53 class bl-sdul
     48 class bl-njabl
      4 class bl-opm

Somewhat down from last week, and much more evenly distributed among different IP addresses; only 4 IP addresses were refused 100 times or more, and the winner (, a Taiwanese IP address blocked for bad reverse DNS) only managed 135 times. Six of the 30 most refused IPs are in the CBL and five are currently in bl.spamcop.net; none are in the SBL this week.

Interestingly, exactly 100 refused IPs are in the SBL at the moment, in 62 different SBL listings. Here's the top hits:

# of different IPs SBL listing listed: who/what
8 SBL22806 19-Feb-2006 de.clara.net advance fee fraud
7 SBL37830 12-Feb-2006 Philippines based spammer hosting
7 SBL35573 09-Dec-2005 CNCGROUP Beijing
5 SBL37409 07-Feb-2006 Japanese spam source
4 SBL35873 16-Dec-2005 mailyes.net, Korean spam source (under bora.net)
4 SBL19307 28-Aug-2005 a /16 listing for a Chinese spam injection network
3 SBL37888 14-Feb-2006 Korean spam sources (dacom.net)
3 SBL37860 13-Feb-2006 'Clear Reach Networks' spam network (SAVVIS)
3 SBL37388 28-Jan-2006 Ephedra spammers, 'Plumtree Solutions' (UUNet)

I find it heartening that none of these are ROKSO-listed spammers, and most of the listings are less than a month old (and that the oldest only dates to August 2005). Unfortunately, SpamHaus doesn't make their listings really easily queryable, so I can't report what the oldest SBL listing to hit us this week is.

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 6167 364 8423 248
Bad bounces 1994 1031 815 558

Spammers are clearly still forging us and there's a lot of quite active mail servers with unresolvable HELO names, although only nine tried 100 times or more. The standout winner for 'most backscatter' goes to (349 hits), followed by (199 hits) and (111 hits). Backscatter is one of those things that makes me grind my teeth, given that we're forged so often by spammers.

spam/SpamSummary-2006-02-18 written at 02:07:02; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.