Wandering Thoughts archives

Weekly spam summary on December 24th, 2005

Merry Christmas and happy holidays to all, and to the spammers a lump of coal since they do not seem to be taking time off at all.

This week we received 14,342 email messages from 206 different IP addresses. Our SMTP server handled 74,689 sessions from 6,178 different IP addresses. Received email is down from last week, which is no surprise since the university knocked off for Christmas holidays on Wednesday, but session volume is way up.

Connection volume is up too: 262,200 connections from at least 44,100 different IP addresses. Interestingly, total IP addresses aren't up all that much from last week. Broken down by days:

Day	Connections	different IPs
Sunday	22,860	+7,080
Monday	21,190	+6,460
Tuesday	20,760	+6,060
Wednesday	21,370	+6,430
Thursday	21,900	+5,840
Friday	47,000	+6,600
Saturday	107,110	+5,640

Apparently spammers get a real 'bah humbug', given the explosion in connections on Friday and especially Saturday, Christmas Eve.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.140.2.73          37005   2220K
62.94.0.30             6782    303K
81.56.74.165           6153    313K
195.135.141.22         5205    259K
65.66.66.244           4552    213K
213.4.149.11           4264    196K
24.116.108.32          4037    189K
200.27.50.35           3996    226K
66.27.61.190           3965    185K
208.255.239.200        3676    169K

It's rare that all of the top ten are individual IP addresses, which goes to show how active the spam has been recently.

• 213.140.2.73 is a fastweb.it machine; we don't talk to them due to previous spam problems.
• Reappearing from before are 81.56.74.165, 195.135.141.22, and 213.4.149.11.
• 62.94.0.30 and 66.27.61.190 used bad HELO names a lot.
• 195.135.141.22 is on the CBL; from its hostname, it may be a NAT machine.
• 65.66.66.244 and 24.116.108.32 are both end-user machines, one a DSL line and one a cablemodem.
• 208.255.239.200 is in SPEWS due to UUNet's habit of continuing to take money from Eric Reinertsen.

Connection time rejection stats:

  31796 total
  16883 dynamic IP
   7385 bad or no reverse DNS
   3344 class bl-cbl
   1749 class bl-spews
    586 class bl-dsbl
    460 class bl-ordb
    435 class bl-sbl
    265 class bl-sdul
     28 class bl-opm
     20 class bl-njabl

SPEWS has jumped a lot from last week, but everyone else seems to have held more or less to par. There are a number of pretty active sources, but no one over 277 connection rejections.

The other numbers are eye-opening:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	36014	888	2088	169
Bad bounces	15449	3456	2754	738

This has been a catastrophic week for bad HELO names and for bounces. 12.20.160.25 sent us over 1600 bad HELO names before getting blocked, and there are a lot of people in the several hundred range. (Partly this may be because we have been blocking people less often.)

Bad bounces are not quite so voluminous, but all sorts of people upended hundreds on us, including AOL. The most active is 65.42.65.137, with 330 sessions. It seems clear that spammers have started forging our domains in their spam runs once again.

The Hotmail numbers are their usual dismal levels:

• 3 email messages accepted; at least one was likely spam.
• 250 messages rejected because they came from non-Hotmail email addresses.
• 71 messages sent to our spamtraps.
• 13 messages refused because their sender addresses had already hit our spamtraps.
• 5 messages refused due to their origin IP address (three for being in the SBL, one for being in the CBL, and one from Benin).

(This is a little bit lower than last week, so maybe some Hotmail spammers are taking time off.)

When comment spammers attack

WanderingThoughts has been getting little one-off bits of comment spam for some time, but late last night I had my first actual comment spam attack run. There's a number of interesting and odd little bits about it.

The first sign of trouble was a single comment spam posted in the evening of December 20th, from a PacBell DSL line. I removed it pretty rapidly, but on December 23rd the spammer came back from various other IPs to post 12 more spam comments between 3:40am and 3:43am.

(The spammer doesn't appear to have ever checked to see if their posted comment from the 20th worked, so I'm not sure why they only posted one comment then.)

During both comment spam runs, the spammer also deluged WanderingThoughts with a bunch of page requests from a variety of IPs (26 URLs from 23 different IPs the first time, 300 URLs from 75 different IPs the second time). Each request had two distinct signatures:

• a bunch of whitespace after the 'HTTP/1.1' in the GET command, instead of an immediate end of line.
• a Referer header of 'http://<server domain>' (no trailing slash), presumably in an attempt to make them look more legitimate.

I can only guess that this is an attempt to hide the comment spam posts in a bunch of other traffic. (Of course, I get sufficiently little traffic that the actual effect was to make both incidents stand out like sore thumbs.)

The spam comments were all identical. They looked like this:

http://pd2.funnyhost.com
 <a href="http://pd3.funnyhost.com">desk3</a>
 [url=http://pd4.funnyhost.com]desk4[/url]
 [link=http://pd6.funnyhost.com]desk6[/link]

Presumably funnyhost.com has simply picked the four most common ways of making links in blog comments and slammed them all in one spam in an attempt to cover all the bases. Some Googling suggests that they've been spamming like this quite actively for quite some time.

Funnyhost.com is claimed to be owned by 'Home Media', located in Malaysia, but has its websites hosted by Dotster.com. Cleverly, their web pages only display for certain browsers; things like lynx and wget get empty (0 byte long) pages.

Once you get the real pages, they're a bunch of advertising links, leavened with JavaScript popups, some JavaScript to disguise links, and some images fetched from 'cache.revenuedirect.com'. The popup I looked at is served by 'webpdp.gator.com', aka Claria and apparently a common popup ad company. The advertising links are sent through 'pagead2.googlesyndication.com' (a real Google domain) before reaching the advertised websites.

The interesting domain in this is revenuedirect.com, which claims (according to their front page) to let you earn money from your domain names without needing to develop a website by 'monetizing' your traffic. They appear to do this by supplying canned websites (that seem to look a lot like funnyhost.com's) loaded with popups and disguised Google ads; presumably they collect a cut of the revenue.

So the model seems to be:

• Google and Claria pay people for running advertising.
• revenuedirect.com bundles up a canned setup for exploiting Google and Claria.
• funnyhost.com buys into revenuedirect.com's services, then spams a lot of blogs to draw traffic to their websites.

This all makes a handy illustration of affiliate marketing being dead. Again.

Weekly spam summary on December 17th, 2005

To start with, Hotmail's numbers:

• 3 emails accepted from Hotmail, at least two of them likely spam.
• 263 messages rejected because they came from non-Hotmail email addresses.
• 106 messages sent to our spamtraps.
• 33 messages refused because their sender addresses had already hit our spamtraps.
• 6 messages refused due to their origin IP address (five for being in the SBL, and one from Nigeria).

Despite all of these crappy numbers, we've determined that we get at least some legitimate and wanted email from Hotmail, so we will not be blocking them entirely. Oh well. Dear Hotmail: please fix your spam problems.

On the rest of the numbers:

This week we received 16,179 email messages from 209 different IP addresses. Our SMTP server handled 23,552 sessions from 2,014 different IP addresses. Email volume is slightly down from last week, although session volume is up significantly and the number of sources has doubled.

Connection volume is up significantly from last week: 150,000 connections from at least 42,800 different IP addresses. Again there is a significant jump in the number of different IP addresses trying to talk to us.

Day	Connections	different IPs
Sunday	20,500	+6,330
Monday	18,490	+5,920
Tuesday	19,600	+5,110
Wednesday	17,850	+4,330
Thursday	16,950	+5,540
Friday	22,000	+8,030
Saturday	33,770	+7,550

Most of the week looks relatively ordinary (although overall higher than last week), but come Friday and we see a significant upturn. I suspect that this trend will continue on through next week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.140.2.68           6694    402K
210.215.122.10         5600    269K
207.145.162.56         5552    266K
83.170.21.250          5047    242K
222.166.82.174         4860    292K
212.216.176.0/24       3766    187K
195.135.141.22         2620    131K
217.34.169.49          2475    126K
194.102.202.34         2209    106K
81.193.116.226         2108    101K

Apart from Telecom Italia's outgoing mail servers, this is all individual hosts.

• Only 222.166.82.174 returns from before.
• 213.140.2.68 is a fastwebnet.it machine; we don't talk to any of them due to too much spam.
• 83.170.21.250, 222.166.82.174, and 217.34.169.49 are all what we consider 'dialup' machines.
• 207.145.162.56 is on the ORDB.
• 195.135.141.22 is on the CBL.
• 210.215.122.10 and 81.193.116.226 are both lacking in good reverse DNS.
• 194.102.202.34 sent us too many unresolvable HELO greetings.

The overall packet counts are up somewhat over last week.

Connection time rejection stats:

  29999 total
  14435 dynamic IP
   8935 bad or no reverse DNS
   4243 class bl-cbl
    620 class bl-sbl
    497 class bl-ordb
    326 class bl-sdul
    249 class bl-dsbl
    222 class bl-spews
     54 class bl-njabl
     11 class bl-opm

The 'dynamic IP' and CBL numbers have jumped significantly, without having any one single source. It looks like spammers have started up targeting our users with significant spam runs, most of which we have hopefully refused.

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	2088	169	716	67
Bad bounces	2751	738	135	99

I'm not surprised by the sudden jump in both of these numbers, although I'm not thrilled either (especially by the jump in bad bounces, since that means spammers are back to forging us into the origin addresses of their spams).

Weekly spam summary on December 10th, 2005

Once again I'll lead with Hotmail's spam numbers, because they continue to be bad:

• one email accepted (probably spam).
• 218 messages rejected because they came from non-Hotmail email addresses.
• 111 messages sent to our spamtraps.
• 30 messages refused because their sender addresses had already hit our spamtraps.
• 5 messages refused due to their origin IP address (all for being in the SBL).

Now, on to the general numbers.

This week we received 17,296 email messages from 202 different IP addresses. Our SMTP server handled 18,730 sessions from 998 different IP addresses. This is about the same as last week, and once again we have two very active local users (6,993 and 4,302 messages) and the Linux kernel mailing list (2,225 messages) as a good part of the volume.

Connection volume is down from last week: 85,479 connections from at least 29,652 different IP addresses. The drop in the number of different IP addresses trying to send us mail is interesting. Broken down by day it goes:

Day	Connections	different IPs
Sunday	12,220	+4,480
Monday	12,910	+4,590
Tuesday	14,600	+5,070
Wednesday	11,270	+4,070
Thursday	12,140	+4,670
Friday	12,720	+3,750
Saturday	9,600	+3,010

Apart from a slight spike on Tuesday, this is basically flat. I'll probably not bother to report such flat numbers in detail in the future. (This table is still built by hand in a relatively hacky way. Besides, it takes up space.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24       5708    282K
81.56.74.165           5292    269K
69.105.51.114          3813    178K
66.62.47.34            3179    191K
80.128.0.0/12          2982    144K
69.15.141.50           2684    129K
213.96.252.240         2621    157K
219.238.168.124        2275    109K
213.123.26.91          2050   98400
219.128.0.0/12         1861   95064

This week's kernel level rejection stats are remarkably low.

• 80.128.0.0/12 is a Deutsche Telekom block, apparently all dialups. DT has a serious open proxy problem, one virulent enough that we have firewalled their entire IP blocks for some time rather than play whack-a-mole.
• reappearing from before are 81.56.74.165, 69.105.51.114, and 66.62.47.34. (Two of them from last week, even.)
• 69.15.141.50 is on list.dsbl.org.
• 219.238.168.124 is a Chinese IP address with no reverse DNS.
• 213.96.252.240 and 213.123.26.91 both tried to feed us bad HELO names too often. Since 213.96.252.240 is a rima-tde.net IP address (with generic reverse DNS), I'm not terribly charitable towards it to start with. 213.123.26.91 is interesting; it is one of the machines that are 'smtpout.btconnect.com', but it HELO'd repeatedly as 'hesl02uker.he.local'.

Connection time rejection stats:

  15345 total
   7443 dynamic IP
   4688 bad or no reverse DNS
   1816 class bl-cbl
    325 class bl-ordb
    305 class bl-sbl
    300 class bl-dsbl
    139 class bl-spews
    103 class bl-njabl
    101 class bl-sdul
      8 class bl-opm

There are no particularly prolific single IP addresses.

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	716	67	704	65
Bad bounces	135	99	178	118

Bounces continue to slide, leading me to hope that spammers have more or less given up forging our domains as the MAIL FROM of their spam runs. The clear champion of bad HELO names is 69.105.51.114, a PacBell ADSL line (sigh); 213.123.26.91 comes in third.

(This is somewhat variable, as we don't promote IP addresses into the kernel blocklists on any predictable schedule. Possibly I should change that.)

Weekly spam summary on December 3rd, 2005

I'll lead with Hotmail's spam numbers:

• four emails accepted, and I know for sure that two of them were spam.
• 239 messages rejected because they came from non-Hotmail email addresses.
• 24 messages refused because their sender addresses had already hit our spamtraps.
• 10 messages refused due to their origin IP address (5 in the SBL, 4 in the CBL, and one from Nigeria).

The case for banning Hotmail entirely becomes more and more compelling. It's probably time to raise it with the rest of my group and my manager.

For the rest of it, this week we received 17,371 email messages from 236 different IP addresses. Our SMTP server handled 18,603 sessions from 1,015 different IP addresses. This is slightly down from last week, but still well up on our historical trends.

Looking at the mail traffic, I think that this is due to mailing lists (especially local ones) becoming more active and more status monitoring emails, and only to a couple of local users. The top two local users got 7,000 messages and 4,250 messages this week; the next most popular human recipient got only 160.

Our connection volume is down from last week, back to what I consider the (new) normal: 103,500 connections from at least 34,600 different IP addresses. Broken down by day, it goes:

Day	Connections	different IPs
Sunday	12,920	5,200
Monday	17,000	+5,590
Tuesday	15,750	+5,660
Wednesday	20,630	+6,580
Thursday	13,410	+4,210
Friday	15,000	+4,400
Saturday	8,800	+2,960

While there's a little Wednesday peak, there was no Thursday jump; instead things fall off then, and continue to fall for the rest of the week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
65.110.13.98           8632    518K
212.216.176.0/24       8619    429K
81.56.74.165           8551    435K
201.245.43.254         7017    357K
66.62.47.34            4963    298K
66.62.47.57            4923    295K
65.110.13.99           4086    245K
207.14.219.245         3308    155K
210.103.205.230        3027    145K
193.41.153.65          2920    140K

• Only 193.41.153.65 reappears from previous top listings, and that from a long time ago. It's one of our permanent blocks for very fast retries on a bad HELO name.
• 65.110.13.98 is in SBL11354.
• 66.62.47.34 and 66.62.47.57 are part of SBL34212.
• 81.56.74.165 is a dialup-like proxad.net machine.
• 201.245.43.254 and 210.103.205.230 have bad or missing reverse DNS and are from areas (LACNIC and APNIC respectively) where we only accept connections from IP addresses with good reverse DNS. (210.103.205.230 is also in dnsbl.njabl.org.)
• 207.14.219.245 sent us bad HELO names too often (and is in bl.spamcop.net and several other DNSBls).

Unlike last week, we have a lot more entries with relatively high packet counts. But a lot of them look like spammers, as opposed to people trying to dump spam backscatter on us.

Connection time rejection stats:

  24224 total
  11287 dynamic IP
   7981 bad or no reverse DNS
   2641 class bl-cbl
    586 class bl-ordb
    535 class bl-sbl
    307 class bl-dsbl
    218 class bl-spews
    176 class bl-sdul
    150 class bl-njabl
      7 class bl-opm

(As usual, other sources of connection time rejections are insignificant.)

There's no one as prolific as last week, although 68.207.108.73 and 210.207.185.214 made an attempt at it (both are in the CBL). In fact, five of the top 10 most prolific IP addresses are in the CBL; two are in the SBL, and three in dnsbl.njabl.org (two of which were also in list.dsbl.org). Despite the prolific DNSBl presence, the reasons for listing break down to one 'dialup', five lacking good reverse DNS, two in the SBL, and one each for list.dsbl.org and dnsbl.njabl.org.

I think I'll stop the breakdown now.

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	704	65	682	76
Bad bounces	178	118	190	98

This week we have fewer sources of bad HELO names, but they're a bit more prolific; the most aggressive was 195.63.35.42, with 111 connections, followed by 212.248.13.106 with 66. (Last week the most aggressive source had 52.)

CBL listings broken down by ISP

Chris Lewis of Nortel recently posted a breakdown of CBL listings by ISP in news.admin.net-abuse.email. Here's the top ten of his listing:

375649 chinanet.cn.net
130245 cnc-noc.net
102931 telekom.gov.tr
80936 kornet.net
67721 tpnet.pl
51671 dtag.de
47246 rain.fr
33678 interbusiness.it
33500 hananet.net
28433 hinet.net

The article itself can be found here (Message-ID <dmnk30$6m5$2@zcars129.ca.nortel.com>), and is worth reading for the full list.

The resulting subthread suggested that US-based ISPs are so low in the listings because many of them have blocks on outgoing port 25 connections from cablemodem and home DSL lines.

I'm a bit surprised by the list; I had no idea China was so bad (note that cnc-noc.net is Chinese), or that Turkey would be in third place. dtag.de (Deutsche Telekom) doesn't surprise me at all, as I have a number of systems that have been slammed by a large and aggressive collection of open proxies in their t-dialin.net and t-ipconnect.de domains.