2005-08-28
Weekly spam summary on August 27th, 2005
The overall SMTP connection rate is up from
last week, as we hit 213,000 SMTP
connections from at least 36,000 different IP addresses.
The SMTP frontend hit a new highwater of 22 simultaneous connections
being checked at once. It's possible that a lot of this is from spammers
forging our domains as the MAIL FROM of their spams.
Top 10 kernel level SMTP rejections:
Host/Mask Packets Bytes 213.4.149.11 16370 736K [dns] 150.101.192.222 12959 660K [trap] 212.216.176.0/24 10593 553K 202.96.0.0/12 6472 311K 161.58.153.168 5752 284K [trap] 206.169.79.2 4621 222K [dyn] 61.128.0.0/10 4219 211K 64.105.41.16 4127 198K [dyn] 201.224.247.45 4049 206K [dns] 192.131.97.33 3706 163K [helo]
| Code | Explanation |
[dns] |
Bad or missing reverse DNS |
[dyn] |
Apparent dynamic IP address |
[helo] |
Bad SMTP HELO greeting |
[trap] |
Sent mail to a spamtrap |
Clearly we've had some very persistent callers this week; however, most of the individual machines are new on the list (the only exception is 213.4.149.11, appearing in SpamSummary-2005-07-23).
Connection-time rejection stats:
27462 total
13178 dynamic IP
7721 bad or no reverse DNS
1668 class bl-cbl
1195 class bl-spews
1032 class bl-sbl
880 class bl-dsbl
775 class bl-ordb
189 class bl-sdul
83 class bl-njabl
27 class bl-opm
SBL-based rejections are up significantly, and break down like this for the top five:
| Rejections | SBL listing |
| 617 | SBL20671 |
| 98 | SBL27384 |
| 62 | SBL20539 |
| 38 | SBL23039 |
| 23 | SBL29615 |
SBL20671 is a /19 ROKSO listing for OC3 Networks. SBL27384
is an aruba.it IP address listed for hosting a 'phish' site that
tried to send us a bunch of email. SBL29615 is 216.250.209.9,
www.portafree.com, listed as an Advance Fee Fraud source. (There
is a lesson here for people running free email
services, but they clearly keep on not learning.)
SPEWS rejections have no specific bad source, although 65.209.157.32
kept retrying a lot (it looks like it's a Microsoft mailer, and
those tend to do that in my experience). Big SPEWS contributions
came from mail.uk.tiscali.com and seamail.go.com, both of
which are widely abused free email services that I am not sorry
to see rejected. wanadoo.co.uk also got into the act.
(I am seriously considering specific connection-time rejections for all of the widely abused free email providers that I don't want to bother talking to. It would probably make these reports more streamlined and it might get the message through to their operators. Or at least any real users trying to email our users.)
Bad HELOs and SMTP bounces to nonexistent local addresses are up quite a lot over last week. The numbers:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
21143 | 831 | 4888 | 409 |
| Bad bounces | 6722 | 3282 | 2099 | 817 |
Much of the increase in the bad HELO count is due to various people
retrying much more often. The drastic increase in the number of distinct
IP addresses sending us bad bounces suggests that our domains are being
forged more by spammers again.
2005-08-21
Weekly spam summary on August 20th, 2005
The overall SMTP connection rate has dropped from last week, down to 140,000 SMTP connections from at least 36,000 different IP addresses. The SMTP frontend hit a high-water of 16 simultaneous connections, I believe relatively early in the week, so I suspect we saw the spillover from last week's traffic burst last Sunday and maybe Monday and then a normal rest of the week.
Kernel level IP rejections:
Host/Mask Packets Bytes 207.235.38.19 10721 515K 212.216.176.0/24 7974 434K 203.98.175.42 7469 359K 61.128.0.0/10 6122 297K 192.35.251.3 6086 292K 170.206.225.64 5587 268K 68.164.24.147 5136 261K 80.55.43.26 3812 229K 82.235.46.17 3807 194K 216.7.201.43 3462 166K
This seems to have been a slow week for Chinese networks (our usual source of rejections from large netblocks); only one made it into the top ten. The individual hosts listed are the usual grab-bag assortment of dynamically added places, with some faces reappearing from last week (170.206.225.64 remaining listed in dnsbl.njabl.org).
Connection-time rejections run:
23940 total
11281 dynamic IP
8525 bad or no reverse DNS
1699 class bl-cbl
532 class bl-spews
434 class bl-ordb
424 class bl-dsbl
377 class bl-sbl
114 class bl-njabl
110 class bl-sdul
2 class bl-opm
(Embarrassingly, I only got around to automating this report via a script this week. When will I learn to take my own advice?)
No single IP address was a really big source of connection-time rejections.
Bad HELO greetings are well down from last week but are up somewhat
over the week before that, which could be more signs of a
Sunday/Monday spillover effect.
Mutating Referer Spammers
Last week's Referer spammers have changed what they're shilling for and mutated their methods. Currently they seem to be shilling for online poker, although instead of clickthrough payments they seem to be angling for 'affiliate' payouts when they get people to sign up at places like pacificpoker.com, fairpoker.com, partypoker.com, and 888.com (which seem unrelated to each other).
All of the websites being Referer-spammed for are still at the IP address 64.4.195.62. Domains they've used so far include webimagineer.net, blevensdamman.com, computerxchange.com, hebei-gelatin.com, casino-solution.com, upthekazoo.com, and homesbysellers.net. Usually (but not always) they use subpages. (As with last week's domains, these also appear in blog comment spam.)
As last week, they continue to hit only the spam category blog page. However, two other bits have changed:
- they've switched over to URL-encoding the '
~' in the blog's URL; since they're the only visitors to do this, it makes their requests quite distinctive. - they are now making the requests from XBL-listed IP addresses (and from some that are on other DNS blocklists as compromised hosts).
Using zombies and other compromised machines slides them well over the line into black-hat territory and criminality. I suspect that anet.net (aka 'ANET Solutions Inc'), their web host, will continue to not do very much to deal with their spammers.
Given their current obliviousness to the lack of success that their attempts are having here, I'm not sure that making DWiki return error messages on their attempts would have any effect. Their software is probably pretty 'fire and forget and ignore'.
Updated Aug 23rd: they've now stopped entity-encoding the '~' in
the blog's URL. Probably a software setting got changed again.
Some DNS blocklist stats on web requests
Over the past 28 days and change, we've had web requests from about 9,250 different IP addresses. Of those, only 250 IP addresses are currently listed in the XBL, and only 32 IP addresses were in the SBL. The leading SBL listing is SBL26426, which seems to be SAIX's web-cache proxies, listed for being a 'Nigerian 419' source; many of the other SBL listings are for the same thing.
Overall, I doubt I'm going to be using any DNS blocklist in front of our web server any time soon.
2005-08-14
Weekly spam summary for August 13th, 2005
Overall SMTP connections are running at twice the expected rate, at 246,000 SMTP connections although only from the usual 33,000 different IP address. The SMTP frontend hit a highwater of 18 simultaneous connections during the week.
Kernel level IP filtering:
Host/Mask Packets Bytes 204.50.22.50 11909 572K 170.206.225.64 8186 393K 66.237.19.76 8148 391K 192.35.251.3 7206 346K 218.102.53.0/24 6916 330K 219.144.0.0/13 5395 262K 212.216.176.0/24 4953 257K 220.160.0.0/11 4875 238K 202.96.0.0/12 4774 245K 61.128.0.0/10 4627 226K
This week is an impressive one for individual accomplishment; we had
some very determined would-be callers. 170.206.225.64 got into our IP
level filtering by being in dnsbl.njabl.org; everyone else was very
eager to give us a bad SMTP HELO greeting. 170.206.225.64 made a
prior appearance in SpamAftermath-2005-07-30; 192.35.251.3 showed
up all the way back in IPReject-2005-06-18.
Connection-time rejections run:
24776 total
11386 dynamic IP
8050 bad or no reverse DNS
1347 class bl-spews
1284 class bl-cbl
573 class bl-dsbl
506 class bl-ordb
372 class bl-sbl
264 class bl-njabl
67 class bl-sdul
4 class bl-opm
These are up somewhat over last week. Unlike last week, there are no really big single sources that account for the jump in SPEWS.
On the unscientific basis of the number of different places sending us bad HELO greetings and SMTP bounces to nonexistent local users, we are being very actively forged as a spam origin once again. The numbers are up dramatically from last week:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
17830 | 679 | 3392 | 197 |
| Bad bounces | 5818 | 2568 | 1471 | 878 |
Other systems show (if anything) a semi-significant decrease in spam and bounces.
Those amusing Referer spammers
One form of blog spam is 'Referer' spam. Referer is the (optional)
HTTP header included in requests from web browsers to web servers that
contains the web page that the link to your page was on. Some blog
software uses this header as a lower-tech version of
Trackback.
Referer spam has the attraction for the spammers that it's dirt simple to do. All their software has to do is to make an ordinary HTTP request for a page or three on a web site and throw in a Referer header. No need to talk XML to a specific URL or anything like that.
As a result, Referer spammers appear willing to hit any web site without bothering to check whether their attempts work (this is like many mass attacks on the Internet; when the cost of the attack is so low, why bother being clever?). So, of course, they've wound up hitting CSpace.
Amusingly, so far the Referer spammers have only been hitting WanderingThoughts' spam category index page. Spammers (futilely) trying to leave Referer spam on a web page about spam; now that's irony.
What I suspect is that the Referer spammers are doing Google searches for web pages that already mention spam domains (perhaps particular ones), as a quick crude way of finding vulnerable web pages. Most of the time this works out okay, but it gets tripped up by web pages that discuss spam domains.
An analysis of my spammer
Looking at recent Referer spam, I got spam for excellent-health.com, casino-attraction.com, and cash-net.biz. Although they claim to be registered to different bogus places, they all seem to touch base with something variously called 'support2000.net', 'support-2000.net', and 'top-support.net'. They also all use the same two nameservers under various names, at the IP addresses 64.27.27.150 and 64.234.220.141.
64.27.27.0/24 is owned by 'Uplink Systems' under 'Hollywood Interactive, Inc' and is routed by ATMLINK (AS7796). 64.234.220.141 is part of a large WebStream Inc block and is SBL listed (SBL17672), for being in a /25 labeled as owned by Traffix.
The web sites themselves are all currently hosted at the IP address 64.4.195.62, part of 'ANET Internet Solutions' in the US, and its /27 is listed in the SBL as SBL24359 for being part of the Rokso-listed 'Brian Kramer / Expedite Media Group' grouping.
The IP addresses making the Referer spam requests don't seem to be listed in any DNS blocklist I routinely look at.
Some quick Googling suggests that these domains also engage in other sorts of blog spam, and that all three of these IP addresses are already well known for their spam involvement. (Yet they remain connected. Such is today's Internet, unfortunately.)
2005-08-09
My first comment spam
I feel like I've arrived somewhere: WanderingThoughts, this blog, has had its first case of comment spam. It's interesting to look at the trail of breadcrumbs and the actual spam, and to see both how much and how little work the comment spammers seem to be putting into this.
To skip to the punchline: some machines in 69.57.150.0/24 (ev1.net) left a peculiarly crafted comment spam pushing a web page on the host 'wieler-forum.nl' (also hosted by ev1.net at 69.57.151.150). The web page pointed to seems to exist to have a bunch of internal links to web pages called things like '/credit--card-consolidation-credit-debt/'.
Presumably the ultimate goal is to give the payoff pages linked to by the blogspam target a high page rank for those words (through relevant words in the page title plus URL plus being linked from a high pagerank page). The one payoff page I checked had a huge pile of links to a CGI on 'feed.peakclick.com', which send people off to a variety of other web sites.
peakclick.com itself is a 'pay per click' company. Their web page offers 'Free SEO assistance' (SEO being the common abbreviation for 'search engine optimization', sometimes aka blog comment spamming), so I suspect that at a minimum, peakclick.com would not be particularly horrified about what wieler-forum.nl is doing. (Their terms of service appear to require a login, so I can't tell if blog spamming theoretically violates them. They certainly send your click on a URL to them through a huge cycle of HTTP and Javascript redirections before it gets to its ultimate destination.)
The comment spam didn't do them any good, since I removed it promptly (due to getting an Atom feed of all comments on CSpace, I see new comments anywhere, even on old articles, pretty promptly).
The spam itself
The comment spam was done by three IP addresses: 69.57.150.107, 69.57.150.123, and 69.57.150.128. Nothing in 69.57.150.* has visited us in the past 28 days apart from for this, and they only visited to do commentspam. Google shows that these three IP addresses have been spamming for some time; the best URL it turns up is 'A new EV1 spammer'.
(Everyones Internet, ev1.net, has of course done nothing about it. They're not well known for doing things about any sort of spammers, to put it one way.)
Their commenting target was the article LargeSystemsTrick, from July 4th (more than a month old by now). They seem to have tried to post twice (at the same time) from two different IP addresses; one post failed (probably due to a DWiki code bug, unfortunately not logged for me to look at).
They also tried to post to the login form, so they may have a piece of software that tries to submit to every POST form on the web page. (They got a 404 response, which DWiki generates on login only if you do something like not supply necessary form values.)
The spam comment was one line of about 2,000 characters of more or less disassociated text and punctuations with four control-A characters thrown in more or less random. They only mentioned their URL near the end, once as a plain text 'http://....', and once as a HTML '<a href="...">' link (with the body text being the plaintext URL). They made no attempt to use DWikiText and no attempt to use HTML apart from the one link.
(I speculate that they at least think that there is some anti-blog-spam tool that only looks at the start of the comment. Why the control-As I have no idea; maybe they disrupt some tools.)
Searching for wieler-forum.nl on Google (here) will produce lots of spam examples more or less just like mine.
2005-08-07
XBL rejection stats, August 6th 2005
As a followup to my SBL rejection stats, here are similar numbers for the XBL (which includes the CBL as well as some other sources). Like those stats, this is based on connection time rejections over the the past 28 days and change.
The basic stats are reasonably striking: over that time period, we rejected 34,000 different IP addresses. 13,500 of them (over half) are in the XBL now. (They may or may not have been at the time of their rejection.)
Recast by the number of rejections, we have 110,000 total, of which 43,800 are from XBL-listed IP addresses.
A more interesting breakdown is by the number of IPs in a given ASN; this says more or less what places are the largest problem source for XBL listings.
| # of different IPs | ASN | (owner) |
| 833 | AS4766 | Korea Telecom |
| 557 | AS9318 | Hanaro Telecom (Korea) |
| 462 | AS6478 | AT&T WorldNet |
| 413 | AS22909 | Comcast Cable |
| 407 | AS33287 | Comcast Cable |
| 315 | AS4837 | CNCGROUP China169 Backbone |
| 266 | AS7018 | AT&T WorldNet |
| 266 | AS6830 | UPC Distribution Services (Europe) |
| 264 | AS12322 | Proxad ISP (France) |
| 242 | AS4134 | CHINANET-BACKBONE |
| 223 | AS22047 | VTR BANDA ANCHA S.A. (Chile) |
| 222 | AS5617 | TPNET Polish Telecom |
| 212 | AS19262 | Verizon |
| 211 | AS17676 | Softbank BB Corp (Japan) |
| 206 | AS20115 | Charter Communications |
Many of our friends from the SpamByASN blog entry (which was based on total rejections) show up here again. This helpfully shows how many of our overall rejections are bad sources of zombies and other compromised machines.
Unfortunately the US comes off rather badly in this picture. If I merged ASNs belonging to the same organization, Comcast would be in second place (and not by much) and AT&T WorldNet in third. Please wake up, US cable companies; your zombie spam problem is only going to get worse.
The regular weekly stats
Kernel level filtering:
Host/Mask Packets Bytes 219.144.0.0/13 5628 270K 194.250.136.10 5613 269K 67.154.50.146 4077 195K 220.160.0.0/11 3671 180K 219.128.0.0/12 3202 159K 209.45.41.98 3116 146K 85.92.129.231 3042 183K 221.216.0.0/13 2701 130K 61.128.0.0/10 2569 129K 212.216.176.0/24 2486 128K
194.250.136.10 spent a good chunk of the week heading this list, only to be passed by a China Telecom aggregate at the last minute. Apparently the machine (powerweb2.powerantilles.com, in list.dsbl.org and dnsbl.njabl.org) really got abused this week; a Google search suggests it is some sort of SMTP or web open relay and has been for rather too long. (It's appeared here already, back in SpamSummary-2005-07-23.)
Connection-time rejections:
22834 total
10856 dynamic IP
6680 bad or no reverse DNS
1496 class bl-cbl
1025 class bl-ordb
737 class bl-dsbl
644 class bl-sbl
422 class bl-spews
215 class bl-sdul
179 class bl-njabl
8 class bl-opm
I believe the relays.ordb.org and list.dsbl.org high scores comes from a few very active sources, particularly 216.215.149.146 (mail.benefitsplusinc.com, with 450 rejections all on its own), 67.154.50.146 (on ALGX in the US), 209.45.41.98 (server.fondebosque.org.pe), 217.144.239.115 (mail.streambase.no), and 64.7.8.202 (mail.grasskeepers.net).
We had 156,000 connections total from at least 31,500 different IP addresses, which is higher than normal and some other numbers suggest heavy traffic at some points. (My SMTP frontend can report the maximum number of simultaneous connections processed at any one time; this week, it hit 18. Usually it's around 10.)
The usual non-scientific survey suggests that we are once again being forged as the origin on a lot of spam mail. Our rejections of unresolvable HELO greetings are at more than twice last week's volume, and people sending us bounces to nonexistent local users are at about five times last week's rate.
(Please don't suggest that we should use SPF to cut down the bounce volume. It doesn't work.)
2005-08-01
Spam breakdown by SBL listing, July 31st 2005
This is roughly speaking a table showing the top N SBL listings that are spamming us over the past 28 and change days. I generated it by grabbing all rejected IP addresses, looking them up in the SBL, and counting how many hits each SBL listing accumulated.
| Refused connections | SBL listing |
| 232 | SBL26860 |
| 208 | SBL23039 (Rokso: Randy Forman) |
| 190 | SBL21425 (listed since 28 Nov 2004) |
| 171 | SBL26524 (Rokso: Eric Reinertsen) |
| 119 | SBL24986 (also Eric Reinertsen) |
| 97 | SBL24651 |
| 74 | SBL27934 (a promiscuous webmail machine) |
| 69 | SBL28992 (more webmail machines) |
| 66 | SBL23012
(sms.ac, spamming 'invites' madly) |
| 52 | SBL20280 (a Korean /17 listed since 24 Dec 2004) |
| 47 | SBL23445 (Rokso: Traffix, listed since Feb 1st) |
| 44 | SBL29615 (look, more webmail!) |
| 43 | SBL19307 (a Chinese /16 listed since 9 Nov 2004) |
| 41 | SBL28644 |
| 41 | SBL28297 |
| 40 | SBL15575 (a /18 listing for wanadoo.es) |
| 35 | SBL28889 (a Chinese /16) |
| 35 | SBL20719 (a Taiwanese /16) |
| 33 | SBL24218 (Rokso: Jeffrey Peters) |
| 33 | SBL23427 (Rokso: Jumpstart Technology LLC, listed since Feb 3rd) |
There were 2522 rejected IP addresses that are now/still in the SBL in total, out of about 35000 that we rejected overall over the time period, so about 7% of the IP addresses we rejected are in the SBL. (Perhaps I will next do these numbers for the CBL.)
This isn't a perfect picture of what the SBL would have done to each of these IP addresses. There are several sources of inaccuracies:
- SBL listings get removed, so some IPs we rejected as SBL-listed when they tried are not SBL-listed now and so are not getting counted.
- not all of these IP addresses got rejected for being SBL-listed, since we check DNS blocklists after other criteria.
- some IP addresses we rejected back then for other reasons may now be SBL-listed.
(Also, by the time you read this blog entry some or many of these SBL listings may have been removed. That's one reason why I date these things.)
Interestingly (and depressingly) the leading SBL listings are located in the US, Canada, and Britain, not in the howling spam-infested wilds of China, Russia, and the like. You have to go all the way down to SBL27934, the first webmail machine, before you find something in another country. China and Korea themselves are surprisingly far down the list (perhaps because they are mostly used for website hosting and less for outright spam-sending).
Most of the listings are quite recent, from April/May and later of 2005. (I believe I have annotated all of the ones that are older than that.)
Over the same time period, 9 IP addresses that were in the SBL when we rejected them got unlisted. Since the SBL doesn't keep old listings, there's no way to tell what they were listed for, or why they got delisted; since they did get delisted, I will avoid naming them here.