Wandering Thoughts archives

Weekly spam summary on April 29th, 2006

This week's statistics are distorted by a Wednesday noon system reboot that had the effect of resetting some of them. Having said, that, this week we:

• got 11,083 messages from 230 different IP addresses.
• handled 15,463 sessions from 840 different IP addresses.
• received 88,321 connections from at least 28,538 different IP addresses since Wednesday noon.
• hit a highwater of 38 connections being checked at once, since Wednesday noon.

To the extent that I can tell, this looks like it's somewhat down from last week. It looks like total connection volume would have been around 130,000 or so this week if the reboot hadn't happened. Obviously the per-day table is completely useless this week.

Kernel level packet filtering top ten, since Wednesday noon:

Host/Mask           Packets   Bytes
85.15.204.205          6999    420K
142.150.228.9          5149    275K
212.216.176.0/24       2601    130K
202.43.219.0/24        1734   87880
71.101.115.35          1642   78816
212.71.30.86           1563   93780
221.216.0.0/13         1359   66340
193.113.160.15         1312   83968
61.128.0.0/10          1312   65480
141.168.4.98           1281   65164

This looks a lot like last week in terms of the numbers, which is probably bad because last week's numbers were atypically low.

• 85.15.204.205 used a bad HELO name a lot.
• 142.150.228.9 is a University of Toronto machine that has a bad HELO, which neatly points out a bug in my support scripts; I'm supposed to exclude all of our own machines from getting added to the kernel IP blocks.
• 71.101.115.35 is a Verizon DSL 'dialup' machine.
• 212.71.30.86 is in NJABL.
• 193.113.160.15 is a mail.o2.co.uk machine that keeps trying to send us advance fee fraud spam from their webmail system.
• 141.168.4.98 is a bigpond.net.au cablemodem.

Connection time rejection stats:

  47114 total
  23796 dynamic IP
  18622 bad or no reverse DNS
   3008 class bl-cbl
    348 class bl-dsbl
    165 class bl-ordb
    165 class bl-njabl
    124 class bl-sdul
     40 class bl-sbl
     35 class bl-spews
      2 class bl-opm

These are full-week stats; we've popped back to regular levels after the whole CBL-first exercise of last week. Some people from 65.109.239.0/24 showed up again this week; we blocked them because of tucksprofessionalservices.com, which I see is still there at 65.109.239.171. The two IP addresses that poked us are 65.109.239.110 (in bl.spamcop.net right now) and 65.109.239.194 (which is listed in spam.dnsbl.sorbs.net for sending mail to their spamtraps).

Hotmail mail volume is way down this week:

• no messages accepted.
• 1 message rejected because it came from a non-Hotmail email address (again a hotmail.fr address).
• 9 messages sent to our spamtraps.
• no messages refused because they'd already hit our spamtraps or because of their origin IP address.

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	346	40	953	44
Bad bounces	29	23	21	16

This is down in the noise, especially considering that the top three sources of bad HELOs were 55% of the rejections all on their own.

Some CBL stats for the week ending on April 22nd, 2006

As mentioned in this week's spam summary, this week I decided to change our SMTP frontend's configuration to get statistics on the CBL that were better than my previous quick SMTP connection stats. Now that this week's up, the results are in:

• the CBL rejected 41% of our incoming SMTP connections this week.
• 75% of the connection we rejected were rejected for being in the CBL.
• more tellingly, 85% of the IP addresses that we rejected at connection time were rejected for being in the CBL.

Looking at how often each CBL-listed IP address tried to connect to us:

1 try	2 tries	3 tries	4 tries	5-10 tries	11-20 tries	more
61.9%	16.8%	9.3%	3.5%	6.4%	1.3%	0.7%

This is startlingly different than the quick stats from a couple of weeks ago, and I have no explanation why. It seems that at least this week, most of the zombie machines are not reused; they get one rejection and then that's it. It's possible that current ratware treats 5xx SMTP rejections differently than 4xx rejections; our rejections were all 5xx ones.

Looking only at the IP addresses that tried 11 times or more (494 out of 24,256 total IP addresses), the average is 32 rejections per IP, but the median is 15 rejections, the 75% level is 35 rejections, and the 90% level is 61 rejections. There's one IP with 490 rejections, five with between 200 and 240, 19 with between 100 and 199, 86 with 50 to 99 rejections, and 81 with 20 to 49 rejections. If I knew more about gnuplot, I would do up a nice accumulated density chart or the like.

I did up some rough 'distance' numbers, crudely measuring how far apart the earliest and the latest rejections were for IP addresses that tried more than once. It's a fairly wide distributions; some IP addresses made attempts throughout the entire week (and these were not prolific IP addresses). For example:

• 59.16.53.89 made 5 attempts between Apr 16 03:40:13 and Apr 23 02:06:56.
• 211.225.173.48 made 9 attempts between Apr 16 04:11:12 and Apr 23 02:10:23.
• 81.202.185.180 made 13 attempts between Apr 16 04:28:28 and Apr 23 02:09:50.
• 81.203.125.210 made 4 attempts between Apr 16 03:55:07 and Apr 23 02:40:46.

I'm wary of my statistical analysis, so I'll just quote one more figure: 41% of the IP addresses that tried more than once made a connection a day (or more) after their first one. (This may be understating the case, since I haven't filtered out IP addresses that first got rejected less than 24 hours ago.)

Tentative conclusion: zombie machines do get reused, but many of them get reused only slowly.

Finally, let's look at our CBL rejections broken down by their ASN. This is a reasonably good proxy for how much of a zombie source various ISPs and countries are for us.

# of different IPs	ASN	(owner)
1570	AS4766	Korea Telecom (Korea)
1492	AS4837	China169 (China)
1106	AS4134	Chinanet (China)
900	AS19262	Verizon (US)
519	AS9318	Hanaro (Korea)
395	AS12322	Proxad (France)
384	AS3352	Telefonica (Spain)
357	AS6478	AT&T Worldnet (US)
355	AS20115	Charter Communications (US)
285	AS5462	Telewest Broadband (England)

Many of the usual suspects from SpamByASN and XBLStats-2005-08-06 show up again, like bad pennies.

(There are probably additional interesting numbers to run that I just can't think of at the moment.)

Weekly spam summary on April 22nd, 2006

This week's statistics are atypical, because in pursuit of better CBL statistics I moved our CBL check before all of our other connection time checks (including our greylisting) and pretty much stopped adding IP addresses to our kernel filters during the week.

Bearing that in mind, this week we:

• got 12,845 messages from 226 different IP addresses.
• handled 17,723 sessions from 788 different IP addresses.
• received 141,631 connections from at least 38,000 or so different IP addresses.
• hit a highwater of 50 connections being checked at once, hit today (this Saturday).

This is all up from last week, but not too much. The per day table is more or less flat, with a peak of 28,000 connections this Monday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
66.116.103.133         8967    456K
212.216.176.0/24       5903    294K
202.43.219.0/24        5015    254K
222.112.161.1          3436    165K
210.109.97.184         3365    162K
61.128.0.0/10          3293    165K
218.0.0.0/11           2011    101K
220.160.0.0/11         1861   93084
222.146.58.254         1801   88876
213.29.7.190           1722    103K

Here we see the effects of pretty much not adding anything to the kernel filters all week. This leaves very few active individual IP addresses:

• 66.116.103.133 hit spamtraps (although not early enough to save some of our users) and then kept mailing and mailing.
• 222.112.161.1 and 210.109.97.184 are Korean IP addresses without working reverse DNS.
• 222.146.58.254 reappears from last week, still trying to send phish spam email.
• 213.29.7.190 is a centrum.cz mail machine.

Connection time rejection stats:

  79352 total
  58949 class bl-cbl
   8680 dynamic IP
   8007 bad or no reverse DNS
   2071 class bl-ordb
    466 class bl-njabl
    429 class bl-dsbl
     67 class bl-sdul
     39 class bl-sbl
     30 class bl-spews
      8 class bl-opm

Yes, you read that right; 75% of our rejections were due to CBL listings. This isn't too surprising; the last time I looked at the stats (although over a shorter period) it was actually higher. The popularity of the ORDB is probably because of not putting heavy rejection sources into the kernel filters; just four IP addresses accounted for 80% of the ORDB rejections.

This week was obviously the week of really active connection time rejection sources, since practically none of them got put into the kernel filters. Here's a little table of the top ten:

Count	IP	Why
872	217.40.27.106	dialup
720	213.76.217.20	dialup
599	81.241.234.166	baddns
599	63.196.46.20	bl-ordb
570	210.109.97.184	baddns
501	83.111.79.10	bl-ordb
499	212.248.91.226	bl-cbl
366	72.11.98.58	bl-ordb
352	87.0.64.88	bl-cbl
352	211.156.161.173	baddns

(The fourth ORDB IP address is 146.145.107.123, with 189 rejections; it's down at #24 on the top 30 most rejected IP addresses.)

The Hotmail stats are up a bit this week:

• 3 messages accepted.
• 1 message rejected because it came from non-Hotmail email address (from hotmail.fr; possibly I should fix that).
• 7 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 3 messages refused due to their origin IP address (two from SBL37487 (oh look, our old friends Gilat-Satcom), and one from Ghana).

The final set of numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	953	44	709	63
Bad bounces	21	16	70	53

Bad bounces have dropped like a stone, although I'm not going to hold my breath hoping that they stay there. The count of bad HELOs is up a bit, but that's not surprising because I didn't throw prolific sources into the kernel level blocks this week like I usually do.

This week's really prolific bad HELOs: 217.13.30.114 (184 times), 63.138.75.163 (145 times), 213.123.26.96 (138 times), and 66.240.116.170 (96 times). By contrast, last week the most prolific source only had 67 rejections.

Weekly spam summary on April 15th, 2006

This week, we:

• got 12,120 messages from 254 different IP addresses.
• handled 17,527 sessions from 926 different IP addresses.
• received 119,314 connections from at least 38,574 different IP addresses.
• hit a highwater of 17 connections being checked at once.

Volume is way down from last week; in fact it's back to the level I consider fairly quiet (although this volume still has a lot of spam in it). The per day table is not too interesting, except that it shows that last week's Saturday was clearly just the tail off of the huge Friday spike:

Day	Connections	different IPs
Sunday	17,719	+7,170
Monday	23,928	+6,979
Tuesday	17,543	+5,988
Wednesday	15,999	+4,026
Thursday	14,410	+4,495
Friday	15,791	+5,077
Saturday	13,924	+4,839

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
193.70.192.0/24       19724    889K
204.2.106.228          5040    249K
212.216.176.0/24       4805    241K
61.128.0.0/10          4609    245K
80.25.131.71           4159    235K
222.146.58.254         3225    159K
80.190.233.48          2801    168K
68.167.80.52           2723    127K
80.37.150.139          2395    144K
218.0.0.0/11           2243    116K

This is a lot like last week, with the exception that iol.it's and libero.it's mail servers in 193.70.192.0/24 seem to be trying very hard to win some sort of dubious prize. (Based on spam I got on other machines this week, I suspect it's mostly libero.it.)

• 204.2.106.228 and 222.146.58.254 repeatedly tried to send us 'phish' spam.
• 80.25.131.71 reappears from last week. It's still a rima-tde.net dialup-oid machine with a far too generic DNS name. This week it got itself into the SBL for being a phish source, as SBL40228.
• 80.37.150.139 is another generic dialup-oid rima-tde.net machine.
• 80.190.233.48 hasn't improved their DNS from the last time we saw them.
• 68.167.80.52 is a 'dialup' covad.net machine, with a generic DNS name.

Connection time rejection stats:

  29379 total
  13606 dynamic IP
  12012 bad or no reverse DNS
   2556 class bl-cbl
    144 class bl-dsbl
    134 class bl-sdul
    127 class bl-ordb
    101 class bl-sbl
     50 class bl-njabl
     43 class bl-spews
      8 class bl-opm

Finally Skylist Inc hosted people have gotten the hint and gone away, although they were pretty quiet last week too. I'm a bit surprised that the 'dynamic IP' category has dropped significantly, almost level with bad/missing reverse DNS.

Out of the top 30 most rejected IP addresses, only one tried it more than 100 times: 83.9.215.189, a adsl.tpnet.pl machine, tried 141 times. Fifteen of the top 30 are currently in the CBL (including 83.9.215.189), eight are currently in bl.spamcop.net, and one is in the SBL (our friend 80.25.131.71, in SBL40228).

The Hotmail numbers are even better than last week, and I've read reports in NANAE from other people that have been seeing the same thing. At this rate I may have to drop this report because it's too boring. This week:

• 14 messages accepted, from a wide variety of addresses this time around because we had a system event that led to quite a few students emailing us.
• 2 messages rejected because they came from non-Hotmail email addresses.
• no messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one in the CBL, one from Gilat Satcom).

Of course, Hotmail's problems are not over, seeing as how one of the rejected emails was from a user called 'masmegamilottery9'. Um, Hotmail, are you paying attention here?

And the final set of numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	709	63	872	79
Bad bounces	70	53	92	66

I could be optimistic about a slight drop, but why bother? I'd just have to be gloomy next week (or the week after, or whenever).

Weekly spam summary on April 8th, 2006

This week, we:

• got 12,551 messages from 234 different IP addresses.
• handled 17,960 sessions from 979 different IP addresses.
• received 444,512 connections from at least 44,262 different IP addresses.
• hit a highwater of 50 connections being checked at once; 50 is the maximum number allowed.

Mail received and SMTP session volume is down a bit from last week, but connection volume has spiked to huge levels. The per day chart tells the story:

Day	Connections	different IPs
Sunday	20,811	+8,243
Monday	21,976	+7,866
Tuesday	29,198	+7,812
Wednesday	25,040	+5,678
Thursday	15,302	+4,392
Friday	236,135	+3,933
Saturday	96,050	+6,338

All I can say is yow. On Friday we had more connections than we usually have all week, and it's still going on today. Interestingly, the simultaneous connections highwater was hit Saturday, not Friday. (I don't have any explanation for the dip on Thursday; as usual, I could do with a program guide to the spammer show.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
212.216.176.0/24       7552    374K
80.25.131.71           5182    293K
61.128.0.0/10          4314    219K
222.146.0.16           4261    210K
219.128.0.0/12         3612    176K
70.169.83.133          3013    145K
61.12.9.179            2928    149K
128.121.94.43          2638    130K
212.159.54.204         2278    116K
219.238.168.124        2271    109K

Overall this is actually down from last week. The specific IPs:

• 80.25.131.71 is a rima-tde.net IP that we put into the 'dialup' class because its hostname looks too generic.
• 222.146.0.16 and 128.121.94.43 both dinged us with apparent phish spam and then kept going (and going and going) once we blocked them.
• 70.169.83.133 is a Cox cablemodem or something.
• 61.12.9.179 is an Indian IP address with no reverse DNS.
• 212.159.54.204 sent too many bad HELO names our way. (It's been a while since any bad HELO people were prolific enough to make the list.)
• 219.238.168.124 reappears from last week and many weeks before that. Perhaps someday datadragon.net (I think) will actually have working reverse DNS, and not be SBL39201, and thus the ability to talk to our SMTP server.

Connection time rejection stats:

  33348 total
  16907 dynamic IP
  11962 bad or no reverse DNS
   2989 class bl-cbl
    349 class bl-ordb
    164 class bl-dsbl
     88 class bl-sdul
     86 class bl-sbl
     74 class bl-njabl
     73 class bl-spews
     39 SKYLIST INC 69.56.0.0/18
     13 class bl-opm

Overall rejections are actually down from last week. I'm not sure what this means; zombies that retried a couple of times, but not enough to get past our greylisting into the actual rejections?

Out of the top 30 most rejected IP addresses, only three were rejected 100 times or more: 24.13.143.139 (140 times), 86.101.112.157 (126 times), and 24.199.5.170 (123 times). Sixteen of the top 30 are currently in the CBL, four are currently in bl.spamcop.net, and one, our friend 219.238.168.124, is in the SBL.

The Hotmail numbers:

• 14 messages accepted, again mostly from one real user.
• 4 messages rejected because they came from non-Hotmail email addresses.
• no messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 3 messages refused due to their origin IP address (two in the CBL, one in SBL20693).

These are quite good numbers. Better yet Hotmail seems to have stopped letting spammers use @sympatico.ca email addresses, which is good news for Sympatico customers.

And finally, one last set of stats:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	872	79	655	66
Bad bounces	91	66	98	81

We're basically in a holding pattern on these; I think it's hit the background noise level.

Apple joins the webmail hall of shame

Selected headers of a just-received advance fee fraud:

Received: from smtpout.mac.com
  ([17.250.248.89])
  by <redacted> ...
Received: from mac.com
  (webmail11-en1 [10.13.10.117])
  by ...;
  Sat, 8 Apr 2006 03:01:49 -0700 (PDT)
From: JOHAN CAMPHER <johancampher4@mac.com>
To:   JOHAN CAMPHER <johancampher4@mac.com>
Subject: I AWAIT YOUR RESPONSE
X-Originating-IP: 80.89.179.237/instID=151

80.89.179.237 has been listed as part of SBL32972 for being a source of advance fee fraud since November 26th, 2005. Yet Apple is still perfectly willing to help it spam us, for whatever reason.

I don't have much to say that I didn't already say when Demon Internet joined the webmail hall of shame, so I'll just refer people to that entry.

(I'm not sure if Apple's .Mac stuff offers genuinely free webmail, but their FAQ says that they have at least a 60 day free trial. And when they call a machine webmail11-en1, I take them at their word.)

Some quick SMTP connection statistics

Recently I've been wondering about the usage pattern of zombie machines. Do spammers typically make only a few connections from each zombie and move on, or do they use the same machines over and over?

Through my weekly spam stats I know that some machines that we reject at connection time try again and again. But what's the distribution like? For example, do most IP addresses get refused once or twice and then go away? So I grabbed our logs and started looking.

All of these figures are for the past 28 (full) days, and for IP addresses that have connected to us at least twice at least five seconds apart (so we're already dealing with machines with some retrying or reuse).

What	Different IPs	1 try	2 tries	3 tries	4 tries	5-10 tries	more
all refused	46,583	60%	17%	7.4%	4.1%	8%	3.7%
'dynamic'	25,430	59%	17%	7.7%	4.2%	8.2%	3.3%
bad reverse DNS	15,582	63%	17%	6.6%	3.4%	6.3%	3.3%
CBL	4,237	49%	19%	9%	6.2%	12%	4.3%

'CBL' is the people we rejected for being CBL listed. Unfortunately for my nice neat stats, we only check DNS blocklists after doing 30 minutes of greylisting (or more, for people with bad DNS information). So these are the creme of the crop of CBL listed IP addresses, which explains the relatively high persistence. It also makes the 49% 'only rejected once' interesting; I theorize that spammers are now using at least some zombie handling programs that don't give up after 4xx series SMTP replies, but do after 5xx ones.

At the moment, 7,511 of the 'bad reverse DNS' IP addresses and 11,518 of the 'dynamic' IP addresses are currently in the CBL (since the CBL ages things out, it's possible that more of them were originally there). Broken apart into 'in the CBL' and 'not currently in the CBL' sets, we get:

What	Different IPs	1 try	2 tries	3 tries	4 tries	5-10 tries	more
'CBL'	19,022	56%	18%	8.3%	4.7%	9.3%	4.2%
non-CBL	21,969	65%	17%	6.4%	3.2%	5.9%	2.5%

I don't have any really clever theories about the difference in persistence. It does make me want to move the CBL to early on in our processing so I can generate better numbers. (Prior experience suggests that most of our rejections will be in the CBL.)

Weekly spam summary on April 1st, 2006

Let's see what sort of April Fools joke the spammers have been having this week. This week, we:

• got 14,298 messages from 221 different IP addresses.
• handled 18,642 sessions from 966 different IP addresses.
• received 153,366 connections from at least 49,555 different IP addresses.
• hit a highwater of 17 connections being checked at once.

Connection volume is up from last week, but session volume is down somewhat. That's got a simple meaning: more spammers being dumped at connection time. The per day table runs:

Day	Connections	different IPs
Sunday	21,525	+9,017
Monday	21,430	+7,776
Tuesday	27,890	+6,457
Wednesday	23,531	+5,822
Thursday	19,097	+6,309
Friday	19,609	+7,180
Saturday	20,284	+6,994

Conclusion: the spam attack from last week is continuing, with a spike Tuesday for some reason. It would be handy if the spammer show came with a program guide.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
193.70.192.0/24       16183    730K
212.216.176.0/24       7320    365K
61.128.0.0/10          5531    287K
209.94.102.72          4599    234K
211.136.0.0/14         4123    247K
168.243.89.68          2699    162K
218.0.0.0/11           2255    113K
221.216.0.0/13         2247    114K
219.238.168.124        2112    101K
24.13.143.139          2042   98016

Continuing the trend from last week, libero.it and tin.it really tried to dump a lot of stuff on us (they're the top two entries on the list).

• 209.94.102.72 was blocked for hitting spamtraps and then keeping on sending us spammy-looking stuff.
• 168.243.89.68 is a San Salvador based IP address with bad reverse DNS.
• 219.238.168.124 returns from last week.
• 24.13.143.139 is a Comcast cablemodem, and is listed in a number of DNS blocklists (including bl.spamcop.net).

Connection time rejection stats:

  36261 total
  19955 dynamic IP
  11044 bad or no reverse DNS
   3677 class bl-cbl
    270 class bl-dsbl
    249 class bl-ordb
    232 class bl-sbl
    137 class bl-sdul
    105 class bl-njabl
     83 fairgamemail.us 
     67 class bl-spews
     38 SKYLIST INC 69.56.0.0/18
     22 class bl-opm

Unlike last week, this week fairgamemail.us is trying to spam us from two netblocks. They hit us from both 209.124.72.0/24 and the new 204.14.1.0/24, under 'VX Commit, LLC', 204.14.0.0/21. VX Comit LLC's entire /21 is in the SBL as SBL27197; according to the listing they are also known as '247 Surf Net'.

Out of the top 30 most rejected IP addresses, three were rejected 100 times or more. The most prolific was 64.71.157.243 (in the SBL as part of SBL39167), rejected 139 times. Twelve of the top 30 are currently in the CBL, nine are currently in bl.spamcop.net, and only the one is currently in the SBL.

Other numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	654	66	714	68
Bad bounces	98	81	108	85

I can take some comfort that these are low, and there are relatively few IP addresses involved. By this point, a certain amount of bad bounces are probably just the inevitable background noise of the Internet, much like ssh brute force scans.

And finally the Hotmail numbers:

• 12 messages accepted; shockingly, these were all legitimate.
• 1 message rejected because it came from a non-Hotmail email address.
• 19 messages sent to our spamtraps.
• 13 messages refused because their sender addresses had already hit our spamtraps.
• 5 messages refused due to their origin IP address (2 for being in the SBL, 1 for being in the CBL, one from SAIX, one from Ghana).

The SBL rejections are for the same IP address, 62.59.40.138, which is SBL33051. It was one of the ones that hit us last week, as recounted in my revised Hotmail stats. I'm not very happy that it can still spew advance fee fraud spam through Hotmail.

(Don't get too enthused at 12 legitimate emails from Hotmail; 11 of them were from one person.)