2005-09-25
Weekly spam summary on September 24th, 2005
As time goes by, more and more of these weekly spam summaries are getting automated. Which just goes to show that sooner or later, I can learn from experience and do things right.
This week we received 11,900 email messages from 245 different IP addresses, and our SMTP server handled 63,600 sessions from 7,400 different IP addresses. Email volume is a tiny bit down from last week, but session volume is up; we're probably getting hammered more than usual by spam bounce backscatter.
Our SMTP connection count and kernel level block statistics are missing about 36 hours this week because we rebooted the server Monday night; both stats reset each reboot (normally once a week, early Sunday morning). Having said that, they're still pretty strikingly up.
Overall connections since Monday the 19th at 5:30pm Eastern or so: 234,000, from at least 30,000 different IP addresses. Much of these came early in the week; at 3:40 pm on the 21st, we had already seen 111,200 connections from at least 13,900 different IP addresses and had reached the week's highwater mark of 17 simultaneous connections.
Kernel level SMTP blocks:
Host/Mask Packets Bytes 202.96.0.0/12 17429 1011K 218.102.53.0/24 11495 531K 195.188.82.90 11375 532K 213.4.149.11 10345 461K 213.4.129.132 9591 412K 212.216.176.0/24 9050 444K 71.133.232.113 8809 503K 209.34.82.59 7034 338K 66.179.44.52 5807 279K 67.151.195.195 5452 255K
Vaulting into first place is a longterm block of a large portion of Chinanet address space. Second place goes to Netvigator, bringing the Far East's contribution up this week. Of the rest, only 213.4.149.11 (mx.terra.es, frequently on this list) and 213.4.129.132 (another terra.es machine, first seen last week) are repeat visitors.
213.4.129.132 is yet another terra.es machine, rejected for not having
good reverse DNS. All the other ones banged on our doors too often
with unresolvable HELO greetings.
Connection-time rejection stats:
25692 total
12178 dynamic IP
6811 bad or no reverse DNS
1973 class bl-spews
1323 class bl-dsbl
1272 class bl-cbl
458 class bl-ordb
416 class bl-sbl
105 class bl-njabl
84 class bl-sdul
10 class bl-opm
There are no particularly prominent single sources of connection time rejections this week, certainly not for the DNS blocklists; their larger numbers this week seem to be natural fluctuation.
Other stats:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
23703 | 1665 | 27038 | 1188 |
| Bad bounces | 9205 | 4381 | 6774 | 3209 |
This makes it pretty probably that our increased volume this week was spam bounce backscatter.
2005-09-24
A spammer roundup
It's time to do a roundup on the status and activities of various of my perennial spammers and spam sources. (Unfortunately I can't literally round them up, nor use something like Roundup (tm) to make them disappear. Spammers are more persistent than weeds.)
Hotmail's spam problem continues unabated, despite any attempts to get Microsoft's attention. This week alone we rejected 330 attempts by Hotmail to get us to accept non '@hotmail.com' addresses from them. They involved 266 different email addresses from 86 different domains; the clear 'winner' in the domain addresses was msn.com (222 times), but then there were such domains as 'onlineuklotttery.com', 'betterdaysloto.com', and 'unionbanksite.com'.
Hotmail's other spam problem is also still happening every so often. Just today we refused a Hotmail email from 82.169.144.3, part of SBL19800, listed as an advance fee fraud source since April 4th.
The referer spammers still hit me once or twice a day, always for the spam category page and always from compromised machines (often listed on the XBL). Mostly it's for online card game gambling sites, although a couple of times it's been for online pharmacies. The web site hosting has moved to the IP address 161.58.59.8, Verio Web Hosting, with a reverse DNS of 'blackjack-123.com'. (Google shows that this IP address has been hosting Referer spam websites for quite a long time.)
They are getting creative in the domain names; I have to enjoy 'www.evilplots.com'. There doesn't seem to be any particular commonality in the domain registration information. All of the ones for the past week use 209.200.14.204, 64.234.220.141, and/or 161.58.59.8 as their nameservers, under various names; 64.234.220.141 is part of SBL17672, a ROKSO listing for Traffix.
The major comment spammers from CommentSpamWritLarge are still trying to post comments; they've made 182 attempts (from 108 different IP addresses) since the early morning of September 18th. 72 attempts were from just one IP address, 208.62.160.29, 'millwood.simplecom.net', part of Bellsouth's IP range. The claimed user agent was 'libwww-perl/5.803', so apparently one of the spammers has a Perl program to do this sort of stuff. (A Google search shows that we are not the only web site getting hit by these people.)
Of the big previous sources, 209.200.11.96/28 (previously the leading source) seems to have disappeared. Still appearing to at least some extent were 80.237.140.233, 168.143.113.0/24, and 207.248.240.119.
As always, neither group appears to care in the least that their attempts are completely fruitless.
2005-09-20
Some words of wisdom for free webmail providers
Vernon Schryver, in news.admin.net-abuse.email:
The buck always stops or is at least duplicated at the SMTP client. It does not matter to rational spam targets whether the operators of a spam relay are paid for their services or forward spam as a charity.
(From Message-ID <dgefme$buk$1@calcite.rhyolite.com>, and let's hope that link stays working.)
2005-09-18
Weekly spam summary on September 17th, 2005
It's Saturday evening again, so it's time for the weekly spam roundup.
This week we received 12,500 email messages from 221 different IP addresses. This is about a typical email volume (perhaps a bit down) and a typical number of distinct IP addresses that we accept email from. (Most of the traffic comes from a few mailing lists and the campus email system.)
Our SMTP server handled 49,600 actual sessions from 5,200 different IP addresses. If you think this is a bad ratio of sessions to real email, just wait; it gets worse.
Overall connections are down from last week: 219,000 connections from at least 32,600 different IP addresses. The high water mark for the number of simultaneous connections being checked at once was up again, hitting 39 at some point this time.
Top 10 sources of incoming packets to our SMTP port that the kernel is configured to just drop on the floor:
Host/Mask Packets Bytes 212.216.176.0/24 10639 552K 213.4.149.69 9919 452K 218.102.53.0/24 5251 243K 213.4.149.11 4834 213K 208.177.19.78 4800 230K 212.74.114.23 4704 232K 208.47.242.106 4696 220K 209.69.82.111 4510 216K 63.85.50.194 4441 204K 213.4.129.132 4439 191K
I believe that this is the first week that no large netblock has made the top-10 list. Only 213.4.149.11 (mx.terra.es) is a repeat appearance; all the others are new. (The two /24s are repeats from last week too, but they don't count since they're now permanent entries in our kernel-level blocks.)
- 213.4.149.69 and 213.4.129.132 appear to be terra.es machines with bad reverse DNS. Since we've seen so much trouble from terra.es, we insist that any machines from their netblock at least have valid reverse DNS.
- 212.74.114.23 is a SPEWS-listed mail.uk.tiscali.com machine. Almost certainly we refused a lot of advance fee fraud email.
All the others HELO'd with unresolvable names often enough
that we added them to the kernel-level filters for this week.
Connection-time rejection stats:
23905 total
11499 dynamic IP
6234 bad or no reverse DNS
1366 class bl-spews
1365 class bl-cbl
767 class bl-sbl
760 class bl-dsbl
417 reject sytebuilder.com
351 class bl-ordb
153 class bl-njabl
116 class bl-opm
43 class bl-sdul
After the jump last week, the SBL numbers have gone back to normal. The SPEWS numbers seem to be due to a lot of reasonably determined sources, instead of a few big ones.
All of the 'reject sytebuilder.com' rejections are of 209.63.232.103, aka members.networld.com; the two domains belong to the same people. sytebuilder.com spammed us sufficiently blatantly back in 2001 to have an entry on our permanent reject list, and apparently they woke up this week to try to send us a bunch more things.
Bad HELOs and attempts to send bounces to nonexistent local users are
up somewhat from last week. The figures:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
20758 | 1119 | 19091 | 828 |
| Bad bounces | 6226 | 3020 | 5594 | 2138 |
(Since I finally scripted this report too, you'll be seeing it more often.)
2005-09-17
Demon Internet joins the webmail hall of shame
Selected headers of a just-received advance fee fraud spam:
Received: from lon1-mail-2.visp.demon.net ([193.195.70.5]) by <redacted> ... Received: from lon1-mailstore-2.visp.demon.net (lon1-mailstore-2-port0.visp.demon.net [192.168.217.133]) by lon1-mail-2.visp.demon.net (MOS 3.5.8-GR) with ESMTP id CTM15721; Sat, 17 Sep 2005 04:55:21 +0100 (BST) Received: from 216.139.176.61 by lon1-mailstore-2.visp.demon.net (MOS 3.5.8-GR) with HTTP/1.1; Sat, 17 Sep 2005 04:55:21 +0100 From: Queensley Rhoda <adswinning@beeb.net> Subject: CONGRATULATION,YOU ARE A WINNER!! X-Mailer: Mirapoint Webmail Direct 3.5.8-GR
216.139.176.61 has been listed as part of SBL16836 since June 1st, 2004 as an advance fee fraud spam source. It's also in a number of other DNS blocklists. In September of 2005, more than a year later, Demon is still perfectly willing to accept outgoing webmail from it and as a result be part of spamming us.
I am especially angered and saddened at Demon Internet joining the webmail hall of shame because there once was a time when Demon was a shining example of high quality, geek friendly, clued in ISP. If there is any ISP that should know better, I would have thought it was Demon Internet.
Time to teach our mail scanner how to determine IP origin information for yet another webmail source that is making us do their work for them. (I am not ready to refuse all email from Demon, which is my default reaction to webmail providers who make me do their work for them these days. It's tempting, though.)
2005-09-11
Weekly spam summary on September 10th, 2005
Overall connections are up from last week: 239,000 SMTP connections from 39,000 different IP addresses. The SMTP frontend's highwater mark is up again, hitting 29 simultaneous connections.
Top 10 kernel level SMTP rejections:
Host/Mask Packets Bytes 213.4.149.11 13913 638K 192.35.251.3 13025 625K 212.216.176.0/24 8955 448K 208.136.201.43 7584 364K 202.96.0.0/12 6232 313K 65.90.203.102 5927 356K 218.102.53.0/24 5530 256K 213.29.7.174 5461 328K 67.32.131.231 5279 253K 212.44.241.24 5153 309K
65.90.203.102 turns out to be a mistake, due to an old listing for Broadwing dialup/dynamic address space that is clearly no longer valid. We probably have other now-invalid rejection rules, but they're hard to find and I don't have enough time and energy to systematically recheck things.
(Much of our dynamic IP address blocking is based on hostname patterns, which is hopefully less prone to rotting over time.)
Of the rest:
- 213.4.149.11, mx.terra.es, is a frequent top-10 listing; it was
blocked for its usual rapid spew of invalid
HELOnames. - 192.35.251.3, netfence.spss.com, is also a repeat offender for bad
HELOnames. - 218.102.53.0/24 is Netvigator's mail servers, which we haven't been willing to talk to for years anyways.
- 213.29.7.174, mail1002.centrum.cz, appeared before in
IPReject-2005-06-18. They're still in
dnsbl.njabl.org, and checking their listing I see they've been there since May 26th, 2005, due to spewing out advance fee fraud spam. We have had allcentrum.czmail machines banned from our mailer for some time for the same reason.
Connection-time rejection stats:
27106 total
12298 dynamic IP
8595 bad or no reverse DNS
1783 class bl-cbl
1563 class bl-sbl
1068 class bl-spews
581 class bl-dsbl
300 class bl-ordb
188 class bl-njabl
69 class bl-sdul
11 class bl-opm
The big jump in SBL hits is due to
1,131 hits from
SBL20671, the
ROKSO listing for 72.11.128.0/19, 'OC3 Networks - Ilan Mishan'. In
turn this was all due to 72.11.156.0/24, a subnet that is full of IP
addresses with reverse DNS to hostnames of the form
'{crv,crve}.????.com'. The four characters in the domain name are
usually letters, but I've seen some use of numbers and '-'.
To break up the monotony, the spammer threw in
marketing-miracles.com, greatdealsforme.com (a more honest spammer
domain name than usual), mylinemarketing.com, and
marketingwarpspeed.com. They, and all the funny domains, all seem to
be registered to the same organization, allegedly
Elbicho Ltd Limited Elbicho 26 fremantle Court Harbour Views, Gibraltar n/a GI +350.3500114473433 124656@whois.gkg.net
(Sometimes 'Elbicho Limited'.)
I can only hope that the spammer is paying real money for that parade of domain names. (Probably not, though. Although they seem to have been registered back in May, so hopefully the registrar will have gotten some actual money from the spammer.)
In SPEWS news, mail.uk.tiscali.com keeps showing up (although not
high in the league tables). This is probably because they are a
prolific advance fee fraud spam source, although they may protest
otherwise (there was a recent thread on news.admin.net-abuse.email
claiming reform, which various people laughed at).
The usual eyeball scan shows bad HELOs and bounces to nonexistent
local addresses down somewhat over last week.
And that concludes tonight's presentation of The Week In Spam.
Comment spam writ large
This Friday I discovered a neglected web-based bulletin board on one of our web servers that was open for posting. Unfortunately, comment spammers had discovered it months before I did and had been gleefully exploiting it since then. The result gives me an unpleasant, full throttle view into the world of comment spammers.
The raw numbers are appalling: in the time they were active, the comment spammers posted at least 233,799 spam comments (fortunately, the web board only stored the last 100,000 or so comments, a limitation that I suspect the authors never expected to be hit). At a guess, they were probably doing this for at least six months and possibly more.
(The web bulletin board itself appears to have been last used on August 23rd 2003. Google searches suggest that the spamming may have started as early as October 16th 2003. Unfortunately the searches also show that Google did indeed index the spammed comments.)
Over the past 14 full weeks that I have logs for (from May 29th), they averaged 1160 comment spams a day, which is not quite one comment spam a minute. However, their activity was actually quite bursty, with the peak week seeing 61,918 comments (8,845 a day, more than 6 a minute).
(The rest of this is about the sources of the comment spam, because that information is a lot more accessible and easier to process. Perhaps later I'll try to analyze the web sites being spammed for and who hosts them.)
2,222 different IP addresses were involved in posting the comments, with a highly uneven distribution. Here is the top 10 list of spammer shame:
Hits IP address/netblock 30117 209.200.11.96/28 4130 193.251.169.170 2364 203.162.3.77 1321 80.237.140.233 1022 203.162.3.78 899 168.143.113.0/24 773 207.248.240.119 749 198.65.161.88 686 195.229.241.182 618 200.201.178.58
209.200.11.96/28 is part of webair.com/webair.net's IP allocation, and
according to them it belongs to one 'Kevin Moll' of Watsontown PA, aka
powerstorm.net. This source has stayed active through September 9th,
but figures no more prominently than usual in the big week.
168.143.113.0/24 is anonymizer.com, in part of Verio's
netspace. Clearly they're being abused by comment spammers. I wouldn't
be surprised if any source of anonymous web access that allows POST
commands is being abused that way, including the EFF-sponsored
Tor network; spammers just don't care what
effects their actions have on other users of the services they're
exploiting.
42% of the different IP addresses (935 out of 2222) are currently listed in the XBL. Since XBL listings usually expire in significantly less than 14 weeks, this is particularly impressive. They accounted for 48% of the hits remaining after you exclude the almost 27% that come from powerstorm.net and anonymizer.com.
Top problem sources by ASN, after removing powerstorm.net and anonymizer.com:
| # of hits | ASN | (owner) |
| 4370 | AS5511 | France Telecom |
| 4300 | AS33774 | Telecom Algeria |
| 3842 | AS7643 | Vietnam Posts & Telecoms |
| 3409 | AS4134 | CHINANET-BACKBONE |
| 3031 | AS4837 | CNCGROUP China169 Backbone |
| 2331 | AS3352 | Telefonica (Spain) |
| 2070 | AS11172 | Alestra (Mexico) |
| 1929 | AS8895 | Riyadh (Saudia Arabia) |
| 1872 | AS3462 | Hinet (Taiwan) |
| 1748 | AS1659 | Taiwan Academic Network |
| 1460 | AS5384 | Emirates Internet (UAE) |
(Verio almost makes the list, but with anonymizer.com removed they only have 1,154 hits. Webair has only 3 hits outside of powerstorm.net.)
Many of these networks can be described as 'the usual suspects', as they will look quite familiar to readers of SpamByASN and XBLStats-2005-08-06.
Only 11 different IP addresses were on the SBL, so I will just put them in a table:
| # of hits | SBL listing | comments |
| 567 | SBL22883 | listed for related malfeasance |
| 405 | SBL26426 | SAIX web caches |
| 217 | SBL31555 | rima-tde.net web cache |
| 25 | SBL24042 | |
| 16 | SBL25866 | |
| 5 | SBL17449 | |
| 4 | SBL30014 | A ROKSO listed spammer |
| 4 | SBL16836 | |
| 2 | SBL23645 | |
| 1 | SBL21707 |
Looking at the SBL listings, it looks like machines that are ultimate sources of advance fee fraud spam are also going to source other problems.
Sidebar: the specific powerstorm.net IPs:
For Google's sake, the specific powerstorm.net IPs involved are: 209.200.11.100, 209.200.11.101, 209.200.11.102, 209.200.11.103, 209.200.11.104, 209.200.11.105, 209.200.11.106, 209.200.11.107, 209.200.11.108, and 209.200.11.110.
I don't know why 209.200.11.109 is missing. 209.200.11.110 made only one comment spam posting, on July 14th; the others are fairly evenly active. (And they stayed active; the most recent hit was September 9th.)
2005-09-10
Hotmail's Other Spam Problem
The 'Microsoft Personal Addresses' issue covered in HotmailSpamProblem is not Hotmail's only problem with spam.
Real Hotmail email addresses are a not insignificant source of various forms of advance fee fraud spam. Much of it comes from SBL and XBL listed IP addresses, sufficiently many that we've had to do Hotmail's filtering job for it as discussed back in WebmailBadSources.
In this day and age, letting IP addresses like 80.179.107.229 (listed since January 2005 as SBL15568) or 212.52.145.234 (SBL22101, December 2004) send email out through one's services counts as at least significant disregard for other people on the Internet. Hotmail is serving as an enabler to these people's spamming; it should not be.
Shame on you, Hotmail and Microsoft. I expected better from a company that claims to be as firmly anti-spam as Microsoft has been in the past. Filing big lawsuits is nice, but you need to do other things too.
Hotmail and other webmail providers are 'attractive nuisances' for spammers, much like accessible swimming pools are for kids. It is time (and long past the time) that Hotmail and others put up the antispam equivalent of fences.
Hotmail has a spam problem
Allow me to make that more sensational: Hotmail has a bad spam problem. Despite everything that Microsoft has said and done about being against spam, their Hotmail service is the source and the facilitator of an increasingly large amount of spam email.
As noticed most recently by Chris Linfoot in a series of blog entries (How to abuse Hotmail and get away with it and More on Hotmail and Personal Addresses), Microsoft will allow more or less anyone to register a 'Microsoft Personal Address'.
A 'Microsoft Personal Address' is your own domain name. Through Hotmail, Microsoft provides all of the services your domain needs: DNS, incoming mail, a URL forwarding service, and even outgoing email through Hotmail's own mail machines. In other words, about eight and a half yards of the full nine yards of spam support.
Worse, Microsoft provides no mechanism for people to report spam related to these domains. As Chris Linfoot has discovered, even complaints about spam email sent from Hotmail's own servers will be rejected by Hotmail with a form letter claiming that they are not responsible for any of this because it doesn't involve a '@hotmail.com' mail address.
Practically any other ISP in the world would be publically pilloried for spam support this blatant, and several of them have been. But for some reason Microsoft and Hotmail get a free pass, despite the parade of various sorts of advance fee fraud spams that constantly emanate from Hotmail's mail servers.
Locally, we have dealt with this problem by refusing any email message
from the Hotmail mail servers that doesn't have a MAIL FROM of
hotmail.com. In at least a year of operation, we have yet to have a
user complain that they aren't getting email, and we routinely reject
200 such messages every week. Unfortunately this is not something that
leads to a real solution, since it does almost nothing to get Hotmail's
attention or make it painful for them to continue doing it.
Chris Linfoot has also had to do this. (And shortly after he put the rule into place, it started blocking spam. Not surprising; at around 200 a week, that's 28 spam messages a day from Hotmail's servers.)
2005-09-04
Weekly spam summary on September 3rd, 2005
Overall connections are down slightly from last week: 200,000 SMTP connections from 33,800 different IP addresses. The frontend's highwater mark for simultaneous connections hit 24 this time around.
Top 10 kernel level SMTP rejections:
Host/Mask Packets Bytes 24.145.152.139 13125 630K 213.4.149.11 10706 488K 212.216.176.0/24 9508 497K 202.96.0.0/12 6346 311K 198.36.22.225 5675 272K 64.165.173.226 5325 256K 216.244.138.210 5232 251K 218.102.53.0/24 4766 220K 61.128.0.0/10 4318 226K 161.58.153.168 4317 213K
Both 213.4.149.11 and 161.58.153.168 reappear from last week, but all the other hosts are new. 218.102.53.0/24 is the mail servers of Netvigator, who have now earned themselves an IP level block because I got tired of them banging on our SMTP port.
Connection-time rejection stats:
23374 total
10321 dynamic IP
6916 bad or no reverse DNS
1411 class bl-dsbl
1346 class bl-cbl
1228 class bl-spews
512 class bl-ordb
412 class bl-sbl
269 class bl-sdul
268 class bl-njabl
12 class bl-opm
There were some quite active attempts to mail us this week, the biggest simple source being 198.36.22.225 (listed at relays.ordb.org). The usual collection of free email providers continue their contributions.
On an eyeball scan, bad HELOs and attempted bounces to nonexistent
local users are both down somewhat this week.