2006-03-28
Hotmail spam stats revised
It turns out I made a mistake in my Hotmail stats for this week that missed some Hotmail rejections that were for @sympatico.ca addresses. There were actually 11 messages refused due to their IP origin, from six different IP addresses:
| Count | IP | In | (Size) | Listed since | Owned by |
| 4 | 62.166.232.22 | SBL15419 | March 6th | Versatel (Netherlands) | |
| 3 | 81.199.172.231 | SBL31484 | (/23) | January 21st | Gilat Satcom (Israel) |
| 1 | 62.59.36.122 | SBL34115 | (/22) | February 10th | Versatel (Netherlands) |
| 1 | 62.59.40.138 | SBL33051 | October 4th, 2005 | Versatel (Netherlands) | |
| 1 | 192.116.119.195 | The CBL | Gilat Satcom (Israel) | ||
| 1 | 194.151.147.178 | SBL35447 | (/29) | December 2nd, 2005 | KPN Internet / 'Comminication Center Osdorp' (Netherlands) |
As you might expect from the name, Gilat Satcom's customers are actually located all over; they appear to resell satellite Internet access widely, especially across Africa, and as a result are the source of a lot of advance fee fraud. Unfortunately they don't show any sub-delegations.
'Comminication Center Osdorp' [sic] is a /29 subnet under KPN Internet (and thus completely listed by the SBL). According to the RIPE WHOIS information, its admin and technical contacts are a Hotmail address (which at least still exists). The whole thing doesn't exactly inspire confidence that they're going to deal with the problems any time soon; at the worst, they may be part of the problem.
Other interesting things:
- five of the six IP addresses (everything except 81.199.172.231) are
also in
bl.spamcop.net. - the three Versatel IP addresses are also in SPEWS. 62.166.232.22 is additionally in the AHBL (since April 8th 2004), the NJABL (since November 2002, listed for advance fee fraud), and SORBS's 'spam' subzone (since April 26th 2004).
- 81.199.172.231 is in SORBS's spam subzone (since October 16th 2005).
SBL34115 has nasty things to say about Versatel's continued tolerance of advance fee fraud spammers. I'm actually surprised that so many of our problems come from Versatel; it had not previously made my list of places to watch out for. Live and learn, apparently.
2006-03-26
Weekly spam summary on March 25th, 2006
The basic volume numbers for this week are that we:
- got 19,744 messages from 236 different IP addresses.
- handled 19,083 sessions from 955 different IP addresses.
- received 139,156 connections from at least 43,459 different IP addresses.
- hit a highwater of 31 connections being checked at once.
We got more emails this week than usual mostly because of a small mail loop explosion during the week that added several thousand extra to the usual tally. The connection count is down significantly from last week, but the other numbers are up somewhat. The per-day stats:
| Day | Connections | different IPs |
| Sunday | 18,441 | +7,756 |
| Monday | 19,816 | +6,230 |
| Tuesday | 19,491 | +6,967 |
| Wednesday | 16,904 | +5,805 |
| Thursday | 18,857 | +6,084 |
| Friday | 22,209 | +6,490 |
| Saturday | 23,438 | +4,127 |
I suspect that a spammer has started up a significant spam run on Friday, partly from other evidence (like spam that has gotten through to me).
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 212.216.176.0/24 5646 283K 193.70.192.0/24 5094 230K 69.105.51.114 4623 216K 61.128.0.0/10 2728 137K 82.107.127.75 2111 116K 221.216.0.0/13 2090 99940 218.0.0.0/11 1991 101K 209.11.164.45 1764 86992 220.160.0.0/11 1599 81308 83.19.244.178 1580 94800
This is down overall from last week, mirroring the connection
numbers. The top two /24 subnets are tin.it's and libero.it's (aka
iol.it these days, apparently) outgoing mailer subnets; of the rest:
- 69.105.51.114 keeps turning up like bad penny, most recently
the week before last. Despite that,
I'm honestly not sure what we blocked it for this week.
(For what it's worth, it's in
bl.spamcop.netright now.) - 82.107.127.75 returns from last week.
- 209.11.164.45 is part of Digital Impact, which we haven't talked to for years.
- 83.19.244.178 seems to be a tpnet.pl 'dialup' customer machine; pass.
Connection time rejection stats:
28919 total
15451 dynamic IP
8976 bad or no reverse DNS
2973 class bl-cbl
254 class bl-dsbl
213 class bl-ordb
142 class bl-sdul
134 class bl-spews
125 fairgamemail.us 209.124.72.0/24
116 SKYLIST INC 69.56.0.0/18
66 class bl-sbl
38 class bl-njabl
18 class bl-opm
Good old Skylist, still banging on the door despite not having
had any success for weeks. I blocked the fairgamemail.us people
by hand a while back, but they're also in the SBL as
SBL39311;
see also the fairgamemail.us ROKSO index
and the fairgamemail.us ROKSO listing.
This was a slow week for the top 30 most refused IP addresses,
with only two over 100 rejections (59.113.140.84, at 106, and
218.210.168.102 at 104). Ten of the top 30 are currently in the CBL, three are currently in bl.spamcop.net,
and two are in the SBL:
- 69.56.11.149 is 'SilverCarrot' aka 'Recipe4Living' aka 'milesource-mail.com', listed in both SBL36447 and SBL39201. They're part of the SKYLIST 69.56.0.0/18 subnet that we already block, but now they have their own entry.
- 219.238.168.124 is an random Chinese spam source (with no reverse DNS, why am I not surprised?) that is SBL39201.
Other numbers:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
714 | 68 | 782 | 85 |
| Bad bounces | 108 | 85 | 118 | 101 |
As you can see, this hardly budged from last week.
And finally the Hotmail numbers:
- 5 messages accepted but unfortunately four of these were almost
certainly spam, since they came from users like
wins_lot06@sympatico.ca. - 4 messages rejected because they came from non-Hotmail email addresses.
- 35 messages sent to our spamtraps.
- 19 messages refused because their sender addresses had already hit our spamtraps.
- No messages refused due to their origin IP address.
I am not enthused that Hotmail seems to be having a serious spam problem with sympatico.ca email addresses. Hopefully this is temporary. (Yes, I am an optimist.)
Update: I made a mistake when putting the numbers together; it turns out there were actually 11 messages refused due to their origin IP address. See HotmailStatsRevised for more details.
2006-03-19
Weekly spam summary on March 18th, 2006
The basic volume numbers are that this week, we:
- got 13,909 messages from 248 different IP addresses.
- handled 18,580 sessions from 927 different IP addresses.
- received 195,437 connections from at least 36,864 different IP addresses.
- hit a highwater of 16 connections being checked at once.
These are mostly down from last week, although not as much as I would like to see. Again, the per day table is interesting:
| Day | Connections | different IPs |
| Sunday | 15,795 | +5,407 |
| Monday | 93,939 | +6,200 |
| Tuesday | 17,929 | +5,280 |
| Wednesday | 14,369 | +3,596 |
| Thursday | 15,219 | +3,898 |
| Friday | 21,460 | +6,363 |
| Saturday | 16,726 | +6,120 |
Clearly some people really lit us up on Monday (probably a few very aggressive sources, since the number of different IPs only jumped by a bit over the usual).
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 66.235.205.240 10562 513K 82.107.127.75 6375 366K 212.216.176.0/24 4705 239K 204.202.11.132 4200 207K 219.238.168.124 4020 193K 61.128.0.0/10 2434 124K 63.215.91.194 2102 125K 210.213.126.197 1930 92640 209.163.128.138 1876 87543 80.190.233.48 1723 103K
This week is an active one for individual IPs, going back to the days when they dominated the top ten.
- 66.235.205.240 aka the spammer 'save-mihaita.org' reappears from last week. Maybe they've finally given up and gone away.
- also reappears from last week.
- also reappearing from before are 82.107.127.75 (from last week), 80.190.233.48 (from last December), and 80.190.233.48 (from the week before last).
- 204.202.11.132 is another 'support@apaypal.com' spam emitter, and got blocked for that.
- 63.215.91.194 is SPEWS-listed, and on
bl.spamcop.netso I suspect we're not missing much. (Some Googling suggests that it's spewing advance fee fraud spam at a decent clip.) - 210.213.126.197 is a Philippines IP address without good reverse DNS.
- 209.163.128.138 smells too much like a twtelecom.net 'dialup' dynamic
IP address to us. Unfortunately I suspect that '
gen.twtelecom.net' is used by both dynamic-IP customers and static IP businesses, so we may have to stop blocking it someday.
(I hate ISPs who mix-master dynamic customers with static customers. I also hate ISPs that use generic reverse DNS even for static business IP addresses.)
Connection time rejection stats:
24495 total
12785 dynamic IP
7698 bad or no reverse DNS
2519 class bl-cbl
323 class bl-ordb
174 SKYLIST INC 69.56.0.0/18
161 class bl-dsbl
129 class bl-spews
127 dartmail.net
102 class bl-sbl
68 class bl-sdul
63 class bl-njabl
23 class bl-opm
I talked about Skylist last week; some Googling (especially in
Google Groups) will likely show why we block dartmail.net. This week
there were three IP addresses that were refused 100 times or more;
201.37.172.229 (155 times) and 67.153.94.227 and 201.124.113.154 (121
times each). Seven of the top 30 most refused IP addresses are currently
in the CBL, four are currently in bl.spamcop.net, and none are in the
SBL.
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
782 | 85 | 1121 | 68 |
| Bad bounces | 118 | 101 | 111 | 88 |
And finally the Hotmail numbers, because they continue to be pretty good:
- 2 messages accepted; they might even be legitimate ones this time around.
- 1 message rejected because it came from a non-Hotmail email address.
- 27 messages sent to our spamtraps.
- 10 messages refused because their sender addresses had already hit our spamtraps.
- 3 messages refused due to their origin IP address (two for being in the CBL and one from Benin).
I'm not completely happy with all these and I'm wary about Hotmail backsliding (again), but I do now have a certain amount of measured hope. Hotmail may actually be taking spam seriously this time around (for however long it lasts before the next change in management priorities).
2006-03-12
Weekly spam summary on March 11th, 2006
Hotmail had an amazingly good week this time around:
- 5 messages accepted.
- 2 messages rejected because they came from non-Hotmail email addresses.
- no messages sent to our spamtraps.
- 6 messages refused because their sender addresses had already hit our spamtraps.
- only 1 message refused due to the origin IP address being in the CBL (and now in the SBL, as SBL34115).
Muting the happiness is the fact that the one CBL-rejected message was from a sympatico.ca address, and several of the emails accepted from Hotmail were from suspicious sympatico.ca usernames like 'delottonederlands' and 'winning_notificationmail2000'. Hotmail is evidently not quite there just yet, although at this rate I'm going to stop leading the reports with them.
The basic volume numbers:
- got 13,413 messages from 221 different IP addresses.
- handled 18,299 sessions from 846 different IP addresses.
- received 205,332 connections from at least 40,047 different IP addresses.
- a highwater of 19 connections being checked at once.
The number of connections is up drastically from last week, but everything else is more or less holding steady. The per day numbers are interesting:
| Day | Connections | different IPs |
| Sunday | 18,451 | +6,591 |
| Monday | 21,571 | +6,572 |
| Tuesday | 16,567 | +5,197 |
| Wednesday | 74,330 | +6,007 |
| Thursday | 43,699 | +4,860 |
| Friday | 15,988 | +5,453 |
| Saturday | 14,726 | +5,367 |
Where last week had a dip on Wednesday, this week has a monstrous peak, tailing off into Thursday as well. The other days were pretty flat, so Wednesday and Thursday are pretty much where all of the extra connection volume came from; if not for them, we would have been down overall from last week.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 66.235.205.240 8268 408K 222.146.2.198 6759 333K 212.216.176.0/24 5135 257K 61.128.0.0/10 3254 167K 88.225.43.100 3024 139K 81.169.150.103 2501 150K 220.160.0.0/11 2366 122K 219.128.0.0/12 2113 108K 218.0.0.0/11 1875 95448 82.107.127.75 1761 106K
- 66.235.205.240 spammed us as 'save-mihaita.org' and was blocked. Evidently it continues to be very aggressive.
- 222.146.2.198, a Japanese IP address, was one of the probably compromised machines trying to send spam claiming to be from 'support@apaypal.com'. It's always nice to see phish spammers labeling their spam so clearly; it makes it much easier to block.
- 88.225.43.100 reappears from last week, now blocked for being without good reverse DNS; it's still on the CBL, though.
- 81.169.150.103 is SBL38774, a phish spam source.
- 82.107.127.75 is an interbusiness.it client machine, and we haven't talked to them for years. (Maybe someday interbusiness.it will clean up its spam problem and get people to believe it.)
Connection time rejection stats:
26321 total
12533 dynamic IP
9039 bad or no reverse DNS
2553 class bl-cbl
516 class bl-dsbl
488 class bl-ordb
322 SKYLIST INC 69.56.0.0/18
185 class bl-spews
151 class bl-sbl
117 class bl-sdul
40 class bl-njabl
39 class bl-opm
We have had 69.56.0.0/18 explicitly blocked for some time now; at the time when we did it, it was due to SBL9613. The SBL listing is now gone (although there is still a SPEWS listing for it), but as you can see our explicit block lit up significantly this week. The connections seem to have mostly come from machines in the recipes4eachday.com and recipe4living-mail.com domains, so I don't think we're missing much.
Despite the connection volume power-up only one IP address was
refused more than 100 times (81.86.27.181, with 173 attempts).
Ten of the top 30 most refused IPs are currently in the CBL, one
is currently in the SBL, and 12 are currently in bl.spamcop.net.
The one SBL listed IP is 81.169.150.103, refused an even 50 times
before we blocked it.
And the final numbers:
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
1121 | 68 | 331 | 34 |
| Bad bounces | 111 | 88 | 119 | 45 |
The champion of bad HELOs this week is 63.105.86.51, at 270 before
it went into the kernel-level blocks. Also on my mental hitlist
are 209.113.245.138 (94), 199.106.238.47 (88), 69.105.51.114 (80),
72.11.65.10 (63), and 207.101.116.51 (53).
2006-03-05
Weekly spam summary on March 4th, 2006
It's time for another weekly spam summary. First, let's look at Hotmail, which turns out to be running roughly the same as last week:
- no messages accepted.
- 12 messages rejected because they came from non-Hotmail email addresses.
- 49 messages sent to our spamtraps.
- 2 messages refused because their sender addresses had already hit our spamtraps.
- 6 messages refused due to their origin IP address (two in the SBL, one in each of the XBL and the CBL, one from Nigeria, and one from SAIX).
Hotmail might get points, except for two things: first, the spamtrap hits still show that far too much spam is coming from Hotmail, and second Hotmail started letting their webmail spammers use 'user@sympatico.ca' addresses this week. I feel for the Sympatico users who are about to get their email dumped by all sorts of people as a result of this.
The basic volume numbers:
- got 13,466 messages from 215 different IP addresses.
- handled 17,446 sessions from 769 different IP addresses.
- received 122,475 connections from at least 43,529 different IP addresses.
- a highwater of 11 connections being checked at once.
All of this is slightly down from last week (except for the highwater, which means we had a larger burst of connections some time this week). The per day numbers are remarkably flat:
| Day | Connections | different IPs |
| Sunday | 16,862 | +7,000 |
| Monday | 18,662 | +6,770 |
| Tuesday | 18,571 | +6,273 |
| Wednesday | 15,914 | +5,448 |
| Thursday | 18,263 | +6,027 |
| Friday | 18,700 | +6,287 |
| Saturday | 15,503 | +5,724 |
I have no explanation for the dip on Wednesday.
Kernel level packet filtering top ten:
Host/Mask Packets Bytes 200.46.208.94 7106 361K 61.128.0.0/10 4000 211K 212.216.176.0/24 3980 193K 80.190.233.48 2914 175K 88.225.43.100 2242 103K 220.160.0.0/11 2123 109K 205.206.209.28 2017 92872 219.128.0.0/12 1964 101K 212.154.186.245 1961 94128 221.216.0.0/13 1908 97452
- 200.46.208.94 tripped our spamtrap detectors and then kept on mailing, I believe with phish email.
- 80.190.233.48 and 205.206.209.28 reappear from last week.
- 88.225.43.100 is a Turkish IP address that's on the CBL.
- 212.154.186.245 is a Kazakhstan IP address in dnsbl.njabl.org as an open relay.
Connection time rejection stats:
25306 total
12030 dynamic IP
9292 bad or no reverse DNS
2784 class bl-cbl
292 class bl-ordb
179 class bl-dsbl
121 class bl-spews
104 class bl-sbl
98 class bl-sdul
43 class bl-njabl
27 class bl-opm
Only one IP address, 221.139.219.164, was refused more than 100 times.
Thirteen of the top 30 most refused IPs are currently in the CBL and
eight are currently in bl.spamcop.net; none are in the SBL.
| what | # this week | (distinct IPs) | # last week | (distinct IPs) |
Bad HELOs |
331 | 34 | 1736 | 123 |
| Bad bounces | 119 | 45 | 249 | 122 |
This is about back to the old low numbers at
last. The leading contestant in the bad HELO numbers is 62.49.123.163
(claiming to be webserver.nss.local), with 141 rejections.