Wandering Thoughts archives

A sad day for SGI: it's now a spammer

I once quite liked SGI and have been following its slow decline with a certain regret. But I did not expect to see this day come; SGI has become a spammer.

Not directly, of course. Large corporations (which SGI still is, sort of) don't spam people directly. Instead they hire specialized places to do this for them, like the well known (one could say 'infamous') Responsys Interact.

SGI might argue that we have previously been an SGI customer so they could spam us with marketing. Well, no, I'm afraid that this excuse no longer flies, especially since we haven't been an SGI customer since before the turn of the century.

And this is a lovely, glowing illustration of why email is now such a hassle. Because I clearly cannot trust a vendor with any long term email address; regardless of why I am getting in touch with them, I need to always, always use a special, just for them email address. And then cancel the address promptly.

Sidebar: the fine details

The marketing spam message had an envelope origin address of Newsletter@sgi.rsc01.com and came from the machine om-sgi.rgc3.net, at IP address 66.35.244.79, a /24 inside Savvis allocated to Responsys. I did not bother to read very much of it; my scanning tools tell me that it includes, among other things, the address unsubscribe@sgi.com.

(We don't do 'opt out' things like unsubscribing around here. We just block spam sources. It's both simpler and more reliable.)

In a surprise, it contained URLs pointing to the website images.gyrogroup.com (as well as Responsys's domains rsvp0.net, rsc01.net, and responsys.com, and SGI's own website). This belongs to 'Gyro International', which appears to be some kind of marketing firm. In a lovely irony, their website proudly proclaims (in all caps text that's in a graphic; how accessible):

Gyro integrated brand communications build long lasting profitable relationships between people and brands.

Well. Not exactly in this case. Although if you leave out the 'profitable' it's certainly true; I find spam quite memorable, and it certainly builds one sort of relationship.

Weekly spam summary on February 25th, 2006

Here's how Hotmail stacks up this week:

• 4 messages accepted; unfortunately, one of them was definitely spam and at least two more probably were.
• 21 messages rejected because they came from non-Hotmail email addresses.
• 49 messages sent to our spamtraps.
• 4 messages refused because their sender addresses had already hit our spamtraps.
• 6 messages refused due to their origin IP address, all for being in the SBL; four from SBL17935, one from SBL27471, and one from SBL33955.

Pretty much everything is down compared to last week. Amazingly, Hotmail may actually be dealing with their whole spam problem.

Next, the basic stats:

• got 14,001 messages from 235 different IP addresses.
• handled 19,476 sessions from 968 different IP addresses.
• received 132,936 connections from at least 46,917 different IP addresses.
• a highwater of only 6 connections being checked at once.

In short, things are down from last week. The per-day stats are basically flat at ~18,000 connections a day, but jump to ~22,000 on Sunday and Friday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
203.123.36.140         7213    433K
212.216.176.0/24       4791    242K
80.190.233.48          3743    225K
61.128.0.0/10          3206    166K
194.5.37.253           2994    170K
68.107.219.194         2181    105K
205.206.209.28         2174    100K
219.128.0.0/12         2015    103K
220.160.0.0/11         1916   98292
69.239.229.58          1654   84104

While the most active contestant is higher, overall I'd have to say that this is quieter than last week. All of the top individual IP addresses are new.

• 203.123.36.140 and 80.190.233.48 don't have IP to name information.
• 68.107.219.194 and 69.239.229.58 smelled like DSL or cablemodem dynamic IP addresses to us.
• 194.5.37.253 tripped our spamtraps and then kept trying to send us tainted stuff, and is currently listed in bl.spamcop.net and in SORBS's spam zone for hitting their spamtraps.
• 205.206.209.28 is, whoops, a telus.com mail server that HELO'd with a bogus name a lot. Apparently it's running Microsoft Exchange. We may have to exempt it from the bad HELO name checks.

Connection time rejection stats:

  28453 total
  13771 dynamic IP
  10160 bad or no reverse DNS
   3066 class bl-cbl
    325 class bl-ordb
    285 class bl-sbl
    222 class bl-spews
    120 class bl-sdul
    117 class bl-njabl
     86 class bl-dsbl
      4 class bl-opm

Bad reverse DNS is up this week compared to last week, but that's about it. For individual IPs, things are even more evenly distributed this week, with only one IP address being refused more than 100 times (202.175.50.201, 177 times). Eight of the top 30 most refused IPs are currently in the CBL and three are currently in bl.spamcop.net; repeating last week, none are in the SBL.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1736	123	6167	364
Bad bounces	249	122	1994	1031

These numbers aren't yet down to the old low numbers, but at least they're dropping from last week's levels. There are no really 'outstanding' sources; only one IP address tried a bad HELO more than a hundred times, for example.

Irony in a Referer spammer

Irony is a Referer spammer spamming my entry on how affiliate marketing is undead for something that sure looks like an affiliate marketing scheme. More irony is that this is the first Referer spammer in a donkey's age; all the old ones seem to have given up months ago.

This just goes to show that I can find amusing things from reading my server logs.

An analysis of the spammer

The spammer came from 217.15.96.18, an unremarkable DataStream Malta IP address that appears to have been doing other Referer spam (based on a Google search). It was pushing the website for imcmake-money-fast-online.com, which is registered to a 'Karl Sultana' of Zebbug in Malta (who has very interesting results in a Google search I will let you do yourself).

His website is just a frame around a marketingtips.com URL that has an embedded number in it, a typical sign of an affiliate scheme in action; the number carries through several pages into what looks like 'order something' URLs. (I lack the interest to crawl extensively.)

Sultana's website is at 209.197.103.186, hosted by pair Networks.

marketingtips.com is registered to 'Internet Marketing Center' of 1123 Fir Ave, Blaine, WA, aka imcinternet.com, which hosts its websites out of 216.57.212.192/26 (under FiberCloud of Bellingham WA) and has other tendrils in 65.110.16.0/27 (under Data Fortress Group of Vancouver).

None of the websites et al are in any DNS blocklists I could spot.

Weekly spam summary on February 18th, 2006

Now that I've automated almost all of the Hotmail spam report, of course it turns out we've had a quiet week, even more so than last week:

• no messages accepted.
• 22 messages rejected because they came from non-Hotmail email addresses.
• 54 messages sent to our spamtraps.
• 13 messages refused because their sender addresses had already hit our spamtraps.
• 5 messages refused due to their origin IP address (one in the SBL, one in the CBL, one from Nigeria, one from Gilat-Satcom, and one from SAIX).

All of these are down from last week, although not always by huge amounts. Hopefully this will continue, although I note that for all the low numbers Hotmail is still batting 94 to nothing this week. And insisting that people jump through hoops to report Hotmail spam.

The basic stats:

• got 13,656 messages from 222 different IP addresses.
• handled 25,483 sessions from 2,261 different IP addresses.
• received 156,390 connections from at least 50,712 different IP addresses.
• a highwater of 27 connections being checked at once.

Everything is slightly down from last week except for the number of different IP addresses doing SMTP sessions. The per day table is slightly interesting this week:

Day	Connections	different IPs
Sunday	23,590	+7,935
Monday	22,349	+8,156
Tuesday	24,991	+7,396
Wednesday	26,030	+7,478
Thursday	22,129	+7,239
Friday	21,328	+7,187
Saturday	15,973	+5,321

Someday, someone is going to do a fascinating article on what days spammers prefer for their spam runs, and why. Have the spammers done 'market research' on what days get the best results, for example?

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
69.90.73.20            5785    347K
212.216.176.0/24       4821    237K
61.128.0.0/10          3479    181K
219.128.0.0/12         2635    138K
80.128.0.0/12          2409    139K
220.160.0.0/11         2234    114K
69.223.241.2           2178    111K
24.147.105.129         2097    101K
221.216.0.0/13         2073    105K
218.0.0.0/11           2004    102K

This is a slow week for individual IP addresses; only three made it into the top ten. 24.147.105.129 reappears from last October, because it is still listed in SPEWS. 69.90.73.20 and 69.223.241.2 both got blocked for lots of unresolvable HELOs.

The 80.128.0.0/12 area belongs to Deutsche Telekom and made the list last December; I've seen nothing since then that makes me reconsider our permanent blocks. All the other netblocks listed belong to various Chinese networks.

Connection time rejection stats:

  26730 total
  13007 dynamic IP
   8886 bad or no reverse DNS
   3056 class bl-cbl
    488 class bl-spews
    319 class bl-ordb
    232 class bl-dsbl
    125 class bl-sbl
     53 class bl-sdul
     48 class bl-njabl
      4 class bl-opm

Somewhat down from last week, and much more evenly distributed among different IP addresses; only 4 IP addresses were refused 100 times or more, and the winner (218.210.168.102, a Taiwanese IP address blocked for bad reverse DNS) only managed 135 times. Six of the 30 most refused IPs are in the CBL and five are currently in bl.spamcop.net; none are in the SBL this week.

Interestingly, exactly 100 refused IPs are in the SBL at the moment, in 62 different SBL listings. Here's the top hits:

# of different IPs	SBL listing	listed:	who/what
8	SBL22806	19-Feb-2006	de.clara.net advance fee fraud
7	SBL37830	12-Feb-2006	Philippines based spammer hosting
7	SBL35573	09-Dec-2005	CNCGROUP Beijing
5	SBL37409	07-Feb-2006	Japanese spam source
4	SBL35873	16-Dec-2005	mailyes.net, Korean spam source (under bora.net)
4	SBL19307	28-Aug-2005	a /16 listing for a Chinese spam injection network
3	SBL37888	14-Feb-2006	Korean spam sources (dacom.net)
3	SBL37860	13-Feb-2006	'Clear Reach Networks' spam network (SAVVIS)
3	SBL37388	28-Jan-2006	Ephedra spammers, 'Plumtree Solutions' (UUNet)

I find it heartening that none of these are ROKSO-listed spammers, and most of the listings are less than a month old (and that the oldest only dates to August 2005). Unfortunately, SpamHaus doesn't make their listings really easily queryable, so I can't report what the oldest SBL listing to hit us this week is.

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	6167	364	8423	248
Bad bounces	1994	1031	815	558

Spammers are clearly still forging us and there's a lot of quite active mail servers with unresolvable HELO names, although only nine tried 100 times or more. The standout winner for 'most backscatter' goes to 66.83.181.196 (349 hits), followed by 69.37.62.196 (199 hits) and 67.107.40.2 (111 hits). Backscatter is one of those things that makes me grind my teeth, given that we're forged so often by spammers.

Weekly spam summary on February 11th, 2006

Hotmail has been startlingly quiet this week. The numbers:

• One message accepted.
• 24 messages rejected because they came from non-Hotmail email addresses.
• 68 messages sent to our spamtraps.
• 23 messages refused because their sender addresses had already hit our spamtraps.
• 10 messages refused due to their origin IP address (two in the SBL, one in the CBL, and then the rest from an assortment of places we pretty much don't talk to any more).

Hotmail may actually be dealing with its spam problems. Or this week might be an anomaly; I expect I'll be dubious about Hotmail for quite a while.

The basic stats:

• got 14,062 messages from 224 different IP addresses.
• handled 27,174 sessions from 1,771 different IP addresses.
• received 161,000 connections from at least 53,153 different IP addresses.
• a highwater of 16 connections being checked at once.

The session and connection volume is up from last week. Connection volume fluctuates significantly during the week:

Day	Connections	different IPs
Sunday	18,588	+8,532
Monday	22,867	+9,203
Tuesday	21,045	+7,389
Wednesday	23,197	+6,951
Thursday	35,896	+7,632
Friday	23,177	+7,674
Saturday	16,074	+5,772

(Unfortunately, Thursday's numbers may be because of something I did that day. It seems I really should automate more things.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24       5455    276K
61.128.0.0/10          5218    272K
220.160.0.0/11         2820    142K
209.11.168.39          2692    133K
69.105.51.114          2561    120K
218.0.0.0/11           2396    121K
219.128.0.0/12         2133    109K
221.216.0.0/13         2000    100K
69.212.116.115         1948   91074
24.248.0.70            1906   89108

This week is even quieter than last week, plus has a lot more Chinese netblocks making the list (although tin.it earned top place). Of the rest:

• 209.11.168.39 and 69.105.51.114 reappear from last week.
• 69.212.116.115 kept trying to feed us an unresolvable HELO name.
• 24.248.0.70 is a cox.net cablemodem customer with a 'dialup' reverse DNS.

Connection time rejection stats:

  31235 total
  15286 dynamic IP
  10452 bad or no reverse DNS
   3413 class bl-cbl
    403 class bl-sbl
    335 class bl-dsbl
    331 class bl-spews
    114 class bl-sdul
     51 class bl-ordb
     37 class bl-njabl
     11 class bl-opm

This was a big week for hammering on the frontend; 22 IP addresses were refused 100 times or more, with the winner being 202.57.119.43 at 364 connections refused for having no reverse DNS. This week marks a record, with none of the top 30 refused IPs being in the CBL; three are in the SBL (209.9.147.162 and 209.9.147.173 in SBL37385, and 203.177.14.234 in SBL34872).

In other trivial, 65.109.239.171 aka tucksprofessionalservices.com is still trying to spam us. Better luck next incarnation; you've blown this one.

Other stats:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	8422	248	357	36
Bad bounces	814	557	87	55

Oh look; massively up compared to the past couple of weeks. I guess spammers are forging us as the MAIL FROM again. 34 different IP addresses tried bad HELOs a hundred times or more; the really big ones are 69.105.51.114 (367 times), 63.105.86.51 (269 times), and 67.77.182.186 (237 times).

Weekly spam summary on February 4th, 2006

Hotmail seems to be shuffling its numbers around significantly this week, to my surprise. I'm not sure the result is really better, but it's certainly different:

• 4 email messages accepted from Hotmail, although 3 of them look a lot like typical advance fee fraud spam Hotmail addresses.
• only 79 messages rejected because they came from non-Hotmail email addresses.
• 138 messages sent to our spamtraps.
• 27 messages refused because their sender addresses had already hit our spamtraps.
• 20 messages refused due to their origin IP address (9 for being in the SBL, then a wide assortment I'm too lazy to break down in detail).

Everything is up except the non-Hotmail email address rejections, which have cratered. Maybe spammers have decided to give up on them and restrict themselves to strictly Hotmail addresses? Who knows.

The basic stats:

• got 14,233 email messages from 230 different IP addresses.
• handled 17,694 SMTP sessions from 941 different IP addresses.
• received 130,000 connections from at least 52,159 different IP addresses.
• only a highwater of 7 pending connections being processed at once.

All of this is just about the same as last week. The per-day table has no interesting fluctuations, so I'm skipping it.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
65.109.239.171         6062    364K
212.216.176.0/24       5540    273K
69.105.51.114          4317    202K
209.9.147.162          3939    236K
218.0.0.0/11           3637    180K
61.128.0.0/10          3598    187K
213.29.7.134           3491    209K
62.69.162.133          2913    163K
209.11.168.39          2582    127K
213.29.7.174           2414    145K

Overall, I'd say the kernel level blocks were a little quieter than last week.

• 65.109.239.171 and 213.29.7.174 reappear from last week
• 69.105.51.114 reappears from December 2005, still with an unresolvable HELO name.
• 209.9.147.162 is in SBL37385.
• 209.11.168.39 used an unresolvable HELO name.
• 213.29.7.134 is yet another centrum.cz machine.
• 62.69.162.133 repeatedly tried to send more mail from something that had tripped our spamtraps.

Connection time rejection stats:

  26458 total
  13291 dynamic IP
   8813 bad or no reverse DNS
   3267 class bl-cbl
    308 class bl-sbl
    133 class bl-dsbl
     70 class bl-njabl
     67 class bl-sdul
     66 class bl-spews
     35 class bl-ordb
      5 class bl-opm

Only one machine really hammered on the frontend this week; 209.9.147.173 made 202 connection attempts before we blocked it harder for being in SBL37385. 17 of the top 30 rejected source IPs are in the CBL this week, three in the SBL (209.9.147.173, plus 222.253.123.194 in SBL36455 and 222.65.153.197 in SBL19307), and 6 are currently in bl.spamcop.net.

Other stats:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	357	36	458	37
Bad bounces	87	55	100	68

There's no really big single source of bad HELOs, unlike last week; 69.105.51.114, at 74 before it went into the kernel blocks, is the highest. At least the numbers are relatively low.