Wandering Thoughts archives

Weekly spam summary on January 28th, 2006

Another week, another set of cruddy Hotmail spam numbers. Let's see how bad things are this week:

• here's a new one: no email accepted from Hotmail this week.
• 216 messages rejected because they came from non-Hotmail email addresses.
• 107 messages sent to our spamtraps.
• 20 messages refused because their sender addresses had already hit our spamtraps.
• 6 messages refused due to their origin IP address (three for being from SAIX, two for being on the SBL, and one for being from Gilat-Satcom).

Apart from accepting no email, this is actually somewhat low for Hotmail. Still, it does mean they are batting 349 to nothing this week, which is not exactly a good performance.

As for the other numbers, this week we received 12,595 email messages from 210 different IP addresses. Our SMTP server handled 17,443 sessions from 953 different IP addresses. All of this is about the same as last week. The connection rate is down slightly: 133,000 connections from at least 51,059 different IP addresses. The simultaneous connections highwater only hit 10, down significantly from last week, and the per day numbers look like this:

Day	Connections	different IPs
Sunday	18,801	+7,546
Monday	18,573	+6,820
Tuesday	21,563	+7,962
Wednesday	20,231	+8,479
Thursday	18,313	+6,810
Friday	21,467	+7,428
Saturday	14,029	+6,014

Again an even week, like last week; if it's this even next week, I'll be skipping this table.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
65.109.239.171         8693    522K
207.107.201.74         5379    246K
85.159.15.80           5294    318K
67.66.209.246          5264    246K
61.128.0.0/10          4616    231K
212.216.176.0/24       4369    218K
216.27.227.2           3204    154K
193.2.4.66             3073    169K
218.0.0.0/11           2477    124K
213.29.7.174           2451    147K

Chinese networks are slightly less represented than last week, but the highest numbers are higher. So how did our contestants qualify?

• 65.109.239.171 reappears from all the way back in July, and was blocked for being a spammer.
• 213.29.7.174 is a centrum.cz machine that's still getting rejected for being in dnsbl.njabl.org. I may just permanently list their /24 at this rate.
• 67.66.209.246 is a swbell.net DSL line, plus they're listed in both dnsbl.njabl.org and relays.ordb.org. Fail.
• 207.107.201.74 and 216.27.227.2 gave us too many bad HELO names.
• 193.2.4.66 sent email to spamtraps and then kept trying to deliver more email from the same user.

Connection time rejection stats:

  26698 total
  13751 dynamic IP
   9086 bad or no reverse DNS
   2760 class bl-cbl
    194 class bl-ordb
    119 class bl-spews
    113 class bl-sbl
    112 class bl-njabl
    109 class bl-sdul
     89 class bl-dsbl
     13 class bl-opm

Several dialup machines were quite active in connection attempts, the top one being 24.178.115.13 at 281 attempts before it gave up. 16 of the top 30 source IPs were in the CBL, none in the SBL, and 9 are currently in bl.spamcop.net.

Other stats:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	458	37	180	41
Bad bounces	100	68	37	31

Bad HELOs are not as bad it looks; the total number of sources is down, 68% come from just two IPs: 69.30.124.210 (214 bad HELOs) and 65.242.71.66 (97). Unfortunately there is no good news with the bad bounces, so it looks like spammers are starting to forge our domains in their MAIL FROMs.

Oh well, it was a nice dream while it lasted.

Sidebar: the interesting case of 65.109.239.171

65.109.239.171 is an interesting case. Unfortunately I don't know what it was listed for in July, but this time around it got in by being 'host.tucksprofessionalservices.com', which is either a spammer for hire or 'Trueman Tuck', a spamming 'Legal & Political Activist' whose domains include 'taxtyranny.ca'. Or possibly both. Apparent it has kept trying hard to deliver that spam this week.

Our records say that the 'fairtax@host.tucksprofessionalservices.com' origin email address first hit our spamtraps on October 24th, 2005, from the same IP address, so evidently the spam has been flowing for some time. I suspect that it was blasted out fairly widely (widely enough that we captured a full copy in email elsewhere) this time due to the Canadian federal election on January 23rd. The copy we captured arrived January 22nd and claimed to have been sent late on Friday the 20th, just barely in time to be a last minute political blitz.

(The content was the kind of far out there political ranting that makes my eyes bleed enough that I didn't try to read very much of it.)

All of the websites this person seems to operate are hosted out of more Alabanza IP address space at (more or less roughly) 65.109.180.0/27. Since it's Alabanza and a spammer, I've now blocked the entire /24.

(Complain to Alabanza? Are you kidding? I have far more productive things to do with my time.)

Weekly spam summary on January 21st, 2005

I'm going to lead with the Hotmail spam numbers, because they continue to be catastrophic.

• two emails accepted, both from spamlike Hotmail usernames.
• 376 messages rejected because they came from non-Hotmail email addresses.
• 134 messages sent to our spamtraps.
• 17 messages refused because their sender addresses had already hit our spamtraps.
• 5 messages refused due to their origin IP address (four for being in the SBL and one for being sent from SAIX, which has an advance fee fraud spam problem).

Happily, the rest of the weekly numbers are much better.

This week we received 13,873 email messages from 213 different IP addresses. Our SMTP server handled 17,484 sessions from 933 different IP addresses. This is about the same volume as last week.

Connection volume is up a bit from last week: 143,447 connections from at least 50,890 different IP addresses. The simultaneous connections highwater was only 27, so burst volume is down from last week. Per day figures:

Day	Connections	different IPs
Sunday	18,485	+7,424
Monday	22,674	+8,480
Tuesday	19,095	+7,319
Wednesday	23,177	+8,463
Thursday	22,501	+6,491
Friday	21,001	+6,712
Saturday	16,514	+6,009

Overall this seems to have been a more even week than last week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
219.128.0.0/12         5060    248K
213.29.7.171           5013    301K
202.157.144.3          4866    292K
212.216.176.0/24       4527    218K
61.128.0.0/10          3970    201K
205.178.145.65         3389    194K
213.4.129.135          3280    141K
68.234.100.168         3263    157K
66.62.47.57            2660    160K
221.216.0.0/13         2576    126K

This is a slow week for the kernel top ten, slow enough that quite a lot of large blocks make the list.

• 202.157.144.3 and 66.62.47.57 both return from last week.
• 213.29.7.171 is a centrum.cz machine; we haven't talked to them for ages. Another one in the same subnet made the list last week.
• 213.4.129.135 is a telefonica.net machine we have had blocked for ages as a source of bad HELO names.
• 68.234.100.168 is an Adelphia IP address that looks dynamic to us, and is widely listed on any number of DNS blocklists.

Connection time rejection stats:

  30429 total
  16005 dynamic IP
   9483 bad or no reverse DNS
   2779 class bl-cbl
    564 class bl-ordb
    436 class bl-sbl
    192 class bl-dsbl
    181 class bl-spews
    152 class bl-sdul
     94 class bl-njabl
     15 class bl-opm

No surprises and no particularly big single sources, although 203.150.224.48 tried hard (271 connections, blocked for being in APNIC without good reverse DNS). Only 8 of the top 30 IP sources were in the CBL this time around; three were on the SBL and 12 are currently listed in bl.spamcop.net.

Other stats:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	180	41	880	97
Bad bounces	37	31	308	83

These numbers have cratered since last week; they may be our lowest ever. A quarter of the bad HELO names came from a single IP address, 212.238.248.243.

Some words of wisdom for all ISPs

Vernon Schryver, in news.admin.net-abuse.email:

Spam complaints must be viewed like complaints from your neighbors that your children or other pets have again wrecked gardens. Spam complaints are evidence of failures, and should be exceptions instead of part of the main anti-spam machinery.

(From Message-ID <95cqle$80v$1@calcite.rhyolite.com>.)

Weekly spam summary on January 14th, 2006

This week we received 12,785 email messages from 208 different IP addresses. Our SMTP server handled 17,958 sessions from 984 different IP addresses. Session volume is dramatically down from the levels of last week.

Connection volume is also down: 122,600 connections from at least 44,760 different IP addresses. However, we hit a highwater mark of 50 connections being processed at once on Tuesday, so we have had some significant traffic bursts. Broken down by day:

Day	Connections	different IPs
Sunday	22,540	+8,110
Monday	17,460	+6,920
Tuesday	21,190	+7,770
Wednesday	15,490	+5,730
Thursday	17,130	+6,220
Friday	14,600	+5,230
Saturday	14,200	+4,770

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes [Why]
202.157.144.3         16976   1019K [rdns]
66.36.243.74           8108    486K [trap]
62.34.238.215          6576    342K [dyn]
205.178.145.65         5664    324K
212.216.176.0/24       5483    274K
196.21.136.1           4981    239K [rdns]
218.0.0.0/11           4606    263K
66.62.47.57            3834    230K [sbl]
213.29.7.173           3306    198K
202.172.226.15         3093    157K [rdns]

(Key: dyn for dynamic IP/dialup machines, rdns for having bad reverse DNS, sbl for being listed in the SBL, trap for hitting spamtrap addresses and then keeping trying to send us mail with the same MAIL FROM.)

These are down from last week overall, and there's no one blocked for being a source of bad HELO names, for the first time in a while.

• 205.178.145.65 got blocked for reasons covered in HowNotToDoDNSVII.
• 213.29.7.173 is a centrum.cz machine, and we don't talk to them due to previously being spammed by them.
• 202.157.144.3 and 62.34.238.215 reappear from last week.
• 66.62.47.57 reappears from earlier, still listed in SBL34212. Maybe they'll give up sometime, but I'm not going to count on it.

Connection time rejection stats:

  24153 total
  13837 dynamic IP
   6700 bad or no reverse DNS
   2421 class bl-cbl
    248 class bl-sbl
    189 class bl-sdul
    158 class bl-dsbl
    112 class bl-spews
     90 class bl-ordb
     44 class bl-njabl
      7 class bl-opm

Nothing particularly stands out, although 10 of the top 30 most connecting IPs were on the CBL this time around.

Other stats:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	880	97	8120	406
Bad bounces	308	83	4349	1629

This week is clearly a quiet one for backscatter: these numbers are a major drop from last week; in fact, they're pretty close to the casual nuisance level.

Hotmail spam volume is up from last week:

• one email accepted, probably spam.
• 371 messages rejected because they came from non-Hotmail email addresses.
• 87 messages sent to our spamtraps.
• 12 messages refused because their sender addresses had already hit our spamtraps.
• 4 messages refused due to their origin IP address (two for being in the SBL, one for being in the CBL, and one for being in the XBL).

Hotmail continues to fail to control their major spam problem.

Weekly spam summary on January 7th, 2006

It's time for the first weekly spam summary of the new year, so let's see what sort of a start 2006 is off to.

This week we received 14,639 email messages from 198 different IP addresses. Our SMTP server handled 30,023 sessions from 3,122 different IP addresses. Message volume is up some since last week (not surprising with people coming back to work) and session volume is holding steady.

Connection volume is down from last week: 201,000 connections from at least 58,500 different IP addresses, although with a highwater of 20 connections being checked at once. By day we get:

Day	Connections	different IPs
Sunday	28,000	+8,400
Monday	32,000	+11,060
Tuesday	30,650	+10,530
Wednesday	29,480	+7,860
Thursday	35,980	+7,530
Friday	22,540	+6,990
Saturday	22,190	+6,130

I have no explanation for the day to day numbers, although we do have the traditional Thursday jump. It's wierd to see the different IP address count spike so sharply without a connection spike to go with it.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
202.157.144.3         17983   1079K
168.215.140.35        12414    745K
68.124.27.170         10004    509K
213.4.149.69           9387    411K
63.167.16.2            8249    396K
62.34.238.215          6840    356K
67.187.49.104          6579    335K
66.59.250.33           6449    297K
218.102.53.0/24        5956    275K
207.202.183.104        5454    251K

• only 213.4.149.69 reappears from before, still without a good IP to name mapping.
• 202.157.144.3 is also without good IP to name mapping.
• 168.215.140.35, 62.34.238.215, and 67.187.49.104 are all considered 'dialup' dynamic address machines.
• 68.124.27.170 is a PacBell DSL machine that kept trying to send us mail from an address that had hit our spamtraps.
• 63.167.16.2, 66.59.250.33, and 207.202.183.104 had unresolvable HELO names.

Connection time rejection stats:

  36555 total
  18969 dynamic IP
  10916 bad or no reverse DNS
   4114 class bl-cbl
    528 class bl-spews
    467 class bl-sbl
    310 class bl-dsbl
    272 class bl-sdul
     52 class bl-ordb
     30 class bl-njabl
     14 class bl-opm

Given the overall volume drop from last week, I think that these stats are not particularly surprising. There are no really aggressive single IP addresses, and the CBL doesn't stand out as much as it did last week; only 7 of the top 30 most connecting IP addresses are on it.

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	8120	406	12700	578
Bad bounces	4349	1629	4196	1123

It looks like we're still getting forged as the MAIL FROM origin by spammers.

The Hotmail spammers seem to have ended their holidays too, judging from the Hotmail stats for this week:

• 2 emails accepted, one of which was a backscatter bounce.
• 275 messages rejected because they came from non-Hotmail email addresses.
• 62 messages sent to our spamtraps.
• 4 messages refused because their sender addresses had already hit our spamtraps.
• 5 messages refused due to their origin IP address (four for being in the SBL, one for being in the CBL).

This is broadly consistent with the volume from the week before last. So much for any hope that Hotmail was doing something to deal with their spam problem over the Christmas to New Years break.

(In fact they were doing something last week: they were making it more difficult to report spam to Hotmail. Now you have to use report_spam@hotmail.com instead of abuse@hotmail.com if you want them to take any action, or so their autoreply now says.)

Towards assessing SORBS' false positive rate

I was somewhat surprised to read in Chris Linfoot's blog that he uses SORBS, because I've always considered the top-level dnsbl.sorbs.net blocklist a little too aggressive. (Considering that I use SPEWS, this may be a little bit of throwing rocks in glass houses.)

(Update: Chris Linfoot does say that you need a good whitelist to use SORBS.)

Out of curiosity I decided to get a very broad sense of the potential 'false positive' rate for using dnsbl.sorbs.net as a whole by seeing how many IP addresses that had successfully delivered email to us over the past 28+ days were listed in SORBS.

Over this time period, 425 different IP addresses delivered one or more messages. 27 of them are listed in dnsbl.sorbs.net; since some spam mail gets through our blocks, these aren't necessarily all false positives. Let's take a look at who's included in the roughly 6% of successful mail deliveries that SORBS would have blocked:

• smtp1.newsguy.com
• mm-retail-out-1102.amazon.com
• mx3.friendster.com
• n10a.bullet.dcn.yahoo.com and several bullet.scd.yahoo.com hosts
• wproxy.gmail.com
• a number of Hotmail machines. Yes, they emit lots of spam, but we do get legitimate email from them.
• smtpout0191.sc1.cp.net
• two mail.united.com machines

The overall dnsbl.sorbs.net list is a conglomerate of a number of different sub-lists. On checking, all 27 IP addresses were from the 'Spam DB' list, assembled from things that have hit SORBS spamtraps. Most of them are not listed in any other DNS blocklist (some are in blacklist.spambag.org and/or block.blars.org, both of which are very aggressive, a few were in bl.spamcop.net, and one was also in dynamic.dnsbl.rangers.eu.org).

I'm not too surprised by this result, because I consider all automated 'hit a spamtrap and get listed' blocklists to be too dangerous (we don't even do this with our spamtraps locally; for most domains, they only cause email to get deferred).

(While we use bl.spamcop.net, we use it to delay email, not to reject it. The logic behind this is for another entry.)

Needless to say, this is a little too aggressive for us to use here. While we could exempt the important domains we've seen today, there's no certainty that some other important domain we get email from won't briefly have spammer who hits a SORBS spamtrap and then blam. (Given some of the important local ISPs, I'm actually pretty sure that this will happen at some point.)

Weekly spam summary on December 31st, 2005

This week we received 12,270 email messages from 159 different IP addresses. Our SMTP server handled 31,972 sessions from 2,643 different IP addresses. Session volume is down from last week, which is a relief, although it's not back down to the historical levels yet.

However, connection volume has not dropped substantially from last week: 260,000 connections from at least 53,760 different IP addresses, with a highwater of 12 simultaneous connections being checked. Oddly, the number of different IPs has jumped substantially. Broken down by days:

Day	Connections	different IPs
Sunday	69,300	+7,220
Monday	34,460	+7,900
Tuesday	33,860	+7,880
Wednesday	28,000	+8,120
Thursday	34,460	+8,290
Friday	33,630	+8,310
Saturday	26,060	+6,040

The connections per day shows the major spam overhang from last weekend, followed by a fairly constant rain of incoming connections over the rest of the week.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
131.96.2.25           19352    973K
62.94.0.30            18992    848K
68.79.138.146          7596    334K
63.149.9.38            6931    319K
213.4.129.129          6738    309K
193.74.71.23           6699    402K
69.18.40.198           6541    314K
155.91.6.71            5641    278K
205.169.191.25         5193    249K
66.193.219.10          5090    224K

The packet stats are up a fair bit from last week, with two runaway winners (although not quite at the level of last week's grand champion).

• 131.96.2.25 got blocked for sending us too much spam backscatter, and apparently kept generating it quite actively.
• 62.94.0.30 continues from last week, still using its bad HELO name.
• 68.79.138.146, 69.18.40.198, 155.91.6.71, and 205.169.191.25 all spewed bad HELO names at us.
• 63.149.9.38 and 66.193.219.10 are both considered 'dialup' machines.
• 213.4.129.129 is terra.es's main outbound server and has been blocked here for ages for being an active spam source.
• 193.74.71.23 sent mail to a spamtrap and then kept trying to send more email to us with the same MAIL FROM.

Connection time rejection stats:

  46350 total
  27594 dynamic IP
  12425 bad or no reverse DNS
   4438 class bl-cbl
    527 class bl-spews
    321 class bl-dsbl
    247 class bl-sdul
    191 class bl-sbl
     97 class bl-ordb
     16 class bl-opm
      7 class bl-njabl

The CBL and generic 'dynamic/dialup' hits are up compared to last week and dominate the rejection rate, which is a strong sign that many of the connection attempts are spam delivery attempts from compromised machines. A number of IPs made hundreds of attempts to connect to us (the most active was 200.140.20.17, with 424 attempts), and of the top 30 connecting IPs, 24 of them are on the CBL.

The other numbers aren't as bad as last week, but they're still not pleasant:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	12700	578	36016	888
Bad bounces	4196	1123	15450	3456

I think that both dropping a lot show that most of this week's load is direct spam, instead of backscatter from spammers forging our domains in their MAIL FROM.

And to round out the last entry of the (nominal) year, here's the less depressing than usual Hotmail numbers:

• five email messages accepted, at least one of which seems to have been a spam backscatter bounce.
• 100 messages rejected because they came from non-Hotmail email addresses.
• 36 messages sent to our spamtraps.
• 10 messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one for being in the SBL and one from a telkom.co.za DSL line that's also on the CBL).

Apparently a number of Hotmail's spammers do take the holidays off.

Welcome to 2006. May it have less spam than 2005.