Wandering Thoughts archives

Weekly spam summary on October 29th, 2005

This week we received 12,079 email messages from 226 different IP addresses. Our SMTP server handled 44,167 sessions from 4,794 different IP addresses. Session volume is up a bit compared to last week, but well within what I now consider normal fluctuations.

Because we rebooted this machine Monday evening, we're about 36 hours short on kernel-level and total connection volume stats (and I'm not going to bother with per-day breakdowns). We had 190,650 connections since Monday evening, from at least 30,420 different IP addresses; from Sunday to just before the reboot, we had 30,190 connections. A straightforward total would make this a fairly ordinary week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
66.154.124.9          13678    766K
64.52.16.234          11451    535K
85.214.22.252          9863    473K
212.216.176.0/24       9416    478K
66.147.35.53           5457    255K
202.96.0.0/12          4856    263K
80.169.152.25          4443    213K
217.57.113.212         4401    264K
218.102.53.0/24        4327    200K
66.179.44.52           4232    203K

This week, chinanet.cn.net has clawed its way back into the top ten and 66.154.124.9 finishes out its third week in first place, earning 66.154.124.0/28, aka SBL24721, an entry in the permanent blocklist. So much for Surge Media.

• 66.179.44.52 is the only other IP address returning from last week or indeed any previous week; it's been blocked for repeated bad HELO names.
• 85.214.22.252 is on the ORDB.
• 217.57.113.212 is an interbusiness.it 'dialup' address; we don't talk to interbusiness.it anyways, but we especially don't talk to anything that has a generic interbusiness.it hostname.
• everyone else got blocked for repeated bad HELO names.

Connection-time rejection stats:

  26507 total
  11429 dynamic IP
   7076 bad or no reverse DNS
   2179 class bl-cbl
   1516 class bl-ordb
   1400 class bl-spews
    675 class bl-sbl
    651 class bl-dsbl
    533 Chinese spam involvement
    199 class bl-njabl
    128 class bl-sdul
     14 class bl-opm

Several machines made outstanding contributions to these stats this week. 85.214.22.252, already featured in the kernel level stats, added 405 to the ORDB count, along with 196.1.211.35's 260; 210.51.25.177 gave 444 to the 'bad rDNS' count, with 203.167.99.194 assisting for 207. Several machines in SBL24721 gave the SBL stats a nice assist, as you might guess, but no one really stands out for SPEWS.

Interestingly, bad HELOs are up from last week but bounces are once again down. 64.52.16.234 HELO'd with a bad name 872 times this week before we blocked it (and then it made the top ten kernel filters list), but there aren't any other really big contributors.

Since I enjoy depressing myself, here are more Hotmail statistics:

• one actual email accepted all week.
• five Hotmail messages refused due to their originating IP addresses (three listed in the SBL, one from Gilat-Satcom, one from Nigeria).
• 257 messages from Hotmail refused because they came from non-Hotmail email addresses.

Apparently our first set of Hotmail stats from two weeks ago were gathered during a slow week; Hotmail is now running only 0.4% 'email traffic we actually wish to accept'. If that.

Affiliate marketing is undead

Dear Internet marketers: affiliate marketing schemes that pay money are dead, killed by spammers. Please get over it and find a marketing technique that doesn't cause spam and attract spammers. (And if you are actually a spammer hiding behind 'affiliates', sorry, no one believes that any more.)

Affiliate marketing pays people for traffic. When people are being paid for traffic, spamming becomes the most cost effective way of generating it. So people spam. Anyone who opens their eyes can see this all over the Internet.

On today's Internet, spam is the inevitable consequence of 'affiliate marketing' schemes. There is a word for people who knowingly do things that cause spam: in many eyes, it is 'spammer'. (Or worse, for people who are trying to profit from spam without catching the blame for it.)

The other inevitable consequence is a bad reputation, because you can't throw a stone at spam without turning up (claimed) affiliate marketing or 'pay per click' programs. Consider that my referrer spammers, my comment spammers, and even the spam blogs I found are all doing it.

Affiliate marketing should be dead. But people prefer not to see this or believe their scheme will be an exception. As a result, affiliate marketing schemes lurch around the Internet, shedding spam everywhere they go, dead but still moving. In short, undead.

Unfortunately, I believe that this means that Google AdSense is probably doomed. And as the spam blogs I found demonstrate, spammers are already exploiting it. (Google can work to stop spammers, but there are lots more would-be spammers than there are Google people working to stop it.)

(If you don't 'pay' affiliates in money but instead use moderate discounts of not very liquid merchandise, you may be able to survive. See Amazon.)

Weekly spam summary on October 22nd, 2005

This week we received 11,880 email messages from 233 different IP addresses. Our SMTP server handled 36,465 sessions from 4,042 different IP addresses, down markedly from last week.

Overall connections are down slightly from last week: 210,400 connections from at least 38,800 different IP addresses. This week, we only hit a highwater of 22 connections being processed simultaneously. Per day statistics:

The Sunday surge is expected; we reboot with much of the kernel level IP filters cleared, and active IPs to block hit us and get added back in later on in the day. Simultaneous connections being processed hit 13 on Sunday then 22 on Thursday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
66.154.124.9          21081   1180K
212.216.176.0/24      11764    599K
66.92.140.53           9605    461K
216.213.82.100         6461    329K
67.123.2.225           6442    301K
80.250.6.1             5568    267K
66.179.44.52           5414    260K
218.102.53.0/24        5238    242K
62.101.217.247         4650    223K
65.86.183.103          4523    211K

No large netblocks made the list at all, but 66.154.124.9, 'Surge Media' in SBL24721 is really living up to its name (and reappears from last week). Also putting in return appearances are 66.92.140.53 and 66.179.44.52, both getting kernel level blocks due to repeated bad HELO names.

It's been a good (or bad) week for DNS blocklists; 216.213.82.100 is DSBL-listed, 80.250.6.1 is CBL-listed, and 62.101.217.247 is on the ORDB. The remaining four IP addresses got blocked for repeated bad HELO names.

Connection-time rejection stats:

  23648 total
  10554 dynamic IP
   7333 bad or no reverse DNS
   2369 class bl-cbl
    832 class bl-spews
    533 class bl-dsbl
    367 class bl-sbl
    336 class bl-ordb
    211 class bl-njabl
    169 class bl-sdul
      5 class bl-opm

Unlike last week, there is no single really active sources.

Other stats:

Spammers are probably forging us less, although they continue to forge us. They will probably continue to forge us until the Internet melts down in a combination of depeerings, bankruptcies, and disagreements over which organization and country should run the whole thing.

Weekly spam summary on October 15th, 2005

This week we received 12,137 email messages from 240 different IP addresses. Our SMTP server handled 51,672 sessions from 4,977 different IP addresses. Session volume is down from last week, but not by what I'd consider a lot.

Overall connections are down to roughly the numbers we last saw four weeks ago: 222,800 connections from at least 38,400 different IP addresses. We did hit a highwater of 50 connections in flight at once, though. This week I have per-day statistics:

Both Sunday and Saturday are partial figures, which makes the Sunday numbers particularly startling. The maximum connections in flight highwater started the week at 22, jumped to 35 on Thursday, and hit 50 on Friday.

Kernel level SMTP packet filtering top ten:

Host/Mask           Packets   Bytes
66.154.124.9          16559    927K
212.216.176.0/24      10719    568K
61.128.0.0/10         10352    501K
192.35.251.3          10326    495K
218.102.53.0/24        7015    320K
213.4.149.69           6476    290K
213.4.149.64           5863    304K
66.179.44.52           5608    269K
222.166.82.174         5340    320K
207.170.62.202         5298    262K

This week only one Chinese network makes the top ten, and in third place instead of its first-place finish last week. A surprising number of the individual IP addresses are new.

• 66.154.124.9 is in SBL24721. 'Surge Media' is apparently an accurate label.
• 192.35.251.3 (bad HELO), 213.4.149.69 (terra.es bad reverse DNS), and 66.179.44.52 (bad HELO) are all repeat visitors to the top 10.
• 222.166.82.174 is a hkcable.com.hk cablemodem customer.
• everyone else was added due to unresolvable HELO names.

Connection-time rejection stats:

  30390 total
  16033 dynamic IP
   8219 bad or no reverse DNS
   2164 class bl-cbl
   1911 class bl-spews
    389 class bl-dsbl
    368 class bl-sbl
    249 class bl-sdul
     96 class bl-njabl
     64 class bl-ordb
      6 class bl-opm

The dynamic IP address count jumped significantly in part to a few machines seriously hammering on us before being firewalled away; one wanadoo.fr machine tried 1,269 connections before giving up. A few SPEWS-listed people were pretty persistent too.

Other stats:

We're still rejecting an annoying amount of backscatter, but we'll probably always be. Two IP addresses, 64.123.95.10 and 12.8.18.132, both did quite a lot of backscattering this week; no one else stands out compared to last week.

(Someday I will do a report on backscatter and bad HELOs by ASN.)

How Hotmail is doing on the spam front

So, how is Hotmail doing with its spam problems? This very issue has come up in news.admin.net-abuse.email recently, so let's take a look and see.

This week we accepted exactly one email from Hotmail, which may or may not have been spam.

Also this week, we refused 84 messages from Hotmail that came from non-Hotmail email addresses, mostly msn.com but including domains like 'ukwiningnotice.com', 'usm2005lot.net', and 'infonotification.com'. Msn.com users rejected included ones called british_lotterywinnings and vhfprizecenter1. (For some reason, posing as UK lotteries seems popular with the Hotmail-hosted people who spam us.)

This week we also rejected 15 Hotmail messages because they came from bad areas of the network; 8 from SBL-listed IP addresses, 4 from CBL-listed ones, and 3 because they were from bad network areas. Two IP addresses tried to send multiple emails through Hotmail:

• 213.185.106.3, a CBL-listed Nigerian IP address, sent three; two from apavel1 and one from jamesangulu
• 84.41.216.20, SBL-listed since June 25th, sent two; one from aliwaheed3 and one from aliwaheed12.

Thus, this week Hotmail is 99% unwanted email and at most 1% email we actually wanted. Not exactly a good ratio; Vernon Schryver's remark definitely applies.

(Past summaries of Hotmail.com spam can also be found in SpammerRoundupI.)

Weekly spam summary on October 8th, 2005

This week we received 12,111 email messages from 242 different IP addresses. Our SMTP server handled 61,080 sessions from 6,951 different IP addresses. Both email volume and session volume is up from last week, despite us being cut off from Level 3 customers for part of the week. (The University of Toronto gets core connectivity from Cogent, and you may have heard about the spat Cogent and Level 3 had between Wednesday and Friday.)

Overall connections are up again from last week: 299,200 connections from at least 41,000 different IP addresses. Our SMTP frontend once again hit a highwater of 50 maximum connections in flight. (I really need to be able to do a day by day breakdown of these numbers, to see when the connection rates jump.)

Looking back to the first of these reports in SpamStats-2005-06-25 it's tempting to draw some overall conclusions. Unfortunately it would be misleading, since our connection-time checking process is different now than it was back then. The growth in connection rates and the changes in other statistics may be in large part because we are now more aggressive about telling people to come back later.

(At the same time I think it's clear on a week to week basis that we have seen significant jumps in the volume of bad stuff.)

Kernel level SMTP blocks:

Host/Mask           Packets   Bytes
61.128.0.0/10         17702    858K
66.92.140.53          13785    662K
202.96.0.0/12         10500    517K
212.216.176.0/24       9717    506K
218.102.53.0/24        8949    413K
213.4.149.69           8804    403K
24.173.71.171          7366    354K
24.147.105.129         7340    352K
220.160.0.0/11         6826    331K
65.124.82.6            6257    300K

China comes in like gangbusters for once, specifically chinanet.cn.net (all three of the large netblocks in the top ten are theirs). I believe this may be a record placement of large netblocks in the top ten listing. tin.it and Netvigator continue their strong showings.

• 213.4.149.69, a terra.es machine listed for bad reverse DNS data, has made the top 10 before (in SpamSummary-2005-09-17).
• 24.147.105.129, smtp.capinc.com, is SPEWS-listed as part of Comcast/ATTBI.
• 65.124.82.6, in QWEST space, was rejected because of bad reverse DNS; QWEST has hosted enough spammers that we now require anyone from their network space to have valid reverse DNS before we'll talk to them.
• and finally, 66.92.140.53 and 24.173.71.171 did the usual thing of pumping out unresolvable HELO greetings.

This is clearly an atypical week; most weeks, the leading cause of getting into our kernel-level filters is unresolvable HELO greetings.

Connection-time rejection stats:

  25755 total
  12244 dynamic IP
   6513 bad or no reverse DNS
   1852 class bl-cbl
   1434 class bl-spews
   1044 class bl-dsbl
    556 class bl-sbl
    549 bad Chinese networks
    494 class bl-ordb
    285 class bl-sdul
    133 class bl-njabl
      8 class bl-opm

The stats are broadly the same as last week. Apart from 210.51.25.177, almost singlehandedly responsible for the sudden appearance of 'bad Chinese networks' in the list of noteworthy things, no single source stands out.

Other stats:

Since both of these numbers are up from last week, it's probably spammers forging us (yet again) as the MAIL FROM in their spam runs.

(Technical issues make the 'last week' numbers from this table not quite match up with the 'this week' numbers in the same report last week. I'm switching some manual procedures around so that the numbers should match up better in the future; the divergence has to do with when logfiles are rolled over and how that interacts with the weekly reboot.)

Exploring some spamblogs

I have a certain interest in the behavior of MSNbot, the MSN Search web spider. I'd like to keep track of what other people are saying about it in blogs; the obvious way is a date-based [msnbot] search using Google Blogsearch.

If you do the search you can see why the results leave me less than enthused: it is full of a cluster of spamblogs, mostly hosted at blogspot.com. They show up because they're mechanically including articles about search engine behavior and search engine optimization that they appear to pull from ezinearticles.com, most of which appear to have originally been written by Mike Banks Valentine of website101.com (for example, this article has been quite popular).

If we look at a representative posting, we can see that threaded through the web page are images and carefully keyworded captions that link to redirectors under 'clickbank.net' or on 'tietie.ru'; which one is used seems to depend on the page. (Also present are links to other spamblogs in the cluster, URLs from the original articles, and a few outbound links that may be attempts to persuade Google that they're not spamblogs.)

The images are common across all of the blogs and appear to be stock photos fetched from 'static.sxc.hu', which bills itself as 'the leading free stock photo site'. It's not clear why the spammers use images; they may be attempting to hit Google Image searches too, or maybe Google rates words in image captions higher than otherwise.

Clickbank.net is 'Click Sales Inc', with a primary website at clickbank.com; they seem to be a merchant backend for e-books, software, and other purely digital products. They offer charming services such as having their '100,000 affiliates' drive traffic to your website, and seem to be popular with people who sell things like '33 Days to Online Profits 2004 Edition'. (They also seem popular with people who spam Usenet and Google Groups.)

The tietie.ru URLs are just redirectors to the clickbank.net URLs. I'm not sure why the spammers want to cloak the presence of clickbank.net URLs, but evidently they do.

Another form of Google Blogsearch spam is all of the keywordblogger.net subdomains that show up in the [msnbot] search. While keywordblogger.net (aka pre-views.net, aka preview-search.com) is nominally in the blog searching and indexing business, their real purpose is to generate ad revenues for themselves (ironically including through Google Adwords) by drawing visitors to pages that are loaded with ads and stuff.

Keywordblogger.net seems to operate by copying entries from syndication feeds, 'indexing' them to find various common words like 'database' or 'website', and then re-presenting the search and indexing results as pseudo-blogs in subdomains that they then get Google Blogsearch to index. The syndication feeds from these pseudo-blogs then draw readers to keywordblogger.net web pages full of ads (unlike an honest blog aggregator, their RSS feeds don't point to the original URL for the entries).

You can see how little importance they attach to the real blog entries by looking at how they're presented on the web pages: in plain text in small blue type on a gray background, well down the page past all of the ads.

(Presumably keywordblogger.net is going to all of this effort so that they can say that they are a blog search company, and 'just' running ads like all of the rest. I can hope that this is not going to fool Google.)

Update: they're also keywordblogger.com and show up under that name in some Google Blogsearch searches.

Weekly spam summary on October 1st, 2005

This week we received 11,661 email messages from 245 different IP addresses. Our SMTP server handled 49,500 sessions from 5,900 different IP addresses. Email volume has held steady from last week, but session volume is down.

Overall connections are actually up from previous weeks: 251,000, from at least 41,000 different IP addresses. Our SMTP frontend hit 50 simultaneous pending connections early in the week, which is its maximum at the moment. Other statistics suggest that this time around, the changes are because spammers are trying to spam us.

Kernel level SMTP blocks:

Host/Mask           Packets   Bytes
218.102.53.0/24       10647    492K [*]
68.21.250.130          8784    411K
212.74.114.37          7860    388K
195.188.82.90          7582    354K [*]
213.4.149.11           7556    344K [*]
212.216.176.0/24       6075    325K [*]
67.116.92.82           5963    286K
216.130.96.132         5511    257K
66.192.184.35          5262    253K
64.212.161.229         4731    227K

The four marked entries reappeared from last week; the remainder are new.

• 212.74.114.37 is Tiscali UK's lead mail machine, and is on SPEWS.
• 66.192.184.35 is in what we consider to be twtelecom.net dynamic IP address space.

Everyone else got listed for sending us enough unresolvable HELO greetings.

Connection-time rejection stats:

  25588 total
  13475 dynamic IP
   6328 bad or no reverse DNS
   2166 class bl-cbl
   1691 class bl-spews
    479 class bl-dsbl
    404 class bl-sbl
    233 class bl-ordb
    107 class bl-sdul
     63 class bl-njabl
      4 class bl-opm

Nothing stands out in looking at detailed stats, which means that the big jump in CBL hits is probably from spammers trying to spam us.

Other stats:

Spammers are still actively forging our domains, just not quite as often as last week. Such is life for a domain where they've been forging us for literally years. (I sometimes wish the University would sue a few of them, but the lawyers probably have many better things to do.)

Some problems in common definitions of 'spam email'

The most common attempts to define 'spam email' is either as 'UBE' (Unsolicited Broadcast Email) or 'UCE' (Unsolicited Commercial Email); for example, the spamhaus.org definition here. I tend to think that this sort of definition of spam has some problems.

Let's start with a provocative question: is advance fee fraud (so-called '419' email) spam email? (You know this type of spam; the classic version has Mrs. Mariam Abacha, wife of the late Nigerian dictator Sani Abacha, asking you to help get her husband's fortune to safety.)

A peculiarity of advance fee fraud email is that the messages are often composed by hand (sometimes by people sitting in an Internet cafe in Nigeria) and sent to relatively few people. So it isn't necessarily UBE (or at least not straightforwardly).

One can say that this is UCE because it is 'commercial' in the sense of 'having profit as a chief aim' (cf this definition of 'commercial'), but I think that this is stretching the term. The sender hopes to profit not through a business transaction with you, but by defrauding you out of some money.

But let's go one step further. Take a message that was dumped into my mailbox in August 2005, that started with:

The forgotten facts in all religions are explained by Allah through Imam Iskender Ali MIHR.

This is clearly not UCE; there's no attempt to profit, just proselytize (for www.mihr.com). This particular example was probably UBE (but I don't know for sure), but sooner or later similar messages may be composed by earnest people in Internet cafes and sent out just to you. Does that make them not spam? I'm pretty sure most people would disagree and call such email spam.

Clearly people's practical, gut definition of email spam is wider than just UCE or UBE.

Spamhaus has a technical definition of spam that would include the 'Iskender' email above, because it had no personalization for each recipient. But what if the earnest young men start personalizing their proselytization, perhaps using information from your web page; is their email transmuted to 'not spam' just because they are doing research and typing things by hand?

Was it spam when a fire and forget Microsoft recruiter sent Eric S. Raymond (a well known open-source booster and no fan of Microsoft) a recruitment pitch? (It was probably sent by hand.)

This matters because there are a number of ISPs and other organizations that find it convenient to define spam as only UCE (or UBE, depending on the organization). If their customers are doing things that fall outside of UCE or UBE, you are generally out of luck. (And I'm sure that Microsoft would assure us that the email to ESR is definitely not spam.)

Perhaps this is why brinkster.com has yet to do anything about www.mihr.com (IP address 65.182.104.58), despite the August 2005 spam being sent from mihrfoundation.com (IP address 65.182.104.57 at the time, right next door). After all, it wasn't UCE.