Wandering Thoughts archives

Weekly spam summary on May 27th, 2006

This week, we:

• got 11,513 messages from 227 different IP addresses.
• handled 18,277 sessions from 912 different IP addresses.
• received 133,583 connections from at least 42,540 different IP addresses.
• hit a highwater of 8 connections being checked at once.

This is about the same as last week. Tuesday, Wednesday, and Thursday were the busiest days this week for connections; I suppose that's not too surprising. (Interesting, email received peaked on Tuesday but connections peaked on Wednesday.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
218.254.83.47          9190    441K
66.58.176.187          8320    423K
199.239.233.177        8173    403K
204.202.2.104          7246    357K
198.66.222.140         5729    283K
216.59.145.150         4480    215K
61.128.0.0/10          4443    221K
213.180.130.36         4321    259K
198.187.200.0/24       3905    234K
195.34.32.101          3768    241K

Overall this is significantly up from last week, although the leader is lower this time around; maybe they've finally given up hammering on us after several weeks.

• 218.254.83.47 and 66.58.176.187 return from last week; the former is now on the CBL, among other places.
• 199.239.233.177, 204.202.2.104, and 198.66.222.140 all tried to shovel phish spam at us to an extent that we blocked them. Since all of them used the same MAIL FROM of 'administrative@desjardins.com', they may all be being exploited by the same spammer.
• 216.59.145.150 is in NJABL.
• 213.180.130.36 is a poczta.onet.pl mail sending machine; we have blocked all of poczta.onet.pl here due to advance fee fraud spam email.
• 195.34.32.101 is in SPEWS as part of a Rostelecom listing.

Connection time rejection stats:

  37733 total
  17223 bad or no reverse DNS
  15812 dynamic IP
   2497 class bl-cbl
    560 class bl-njabl
    493 class bl-dsbl
    235 class bl-sdul
    146 class bl-spews
     79 class bl-ordb
     72 class bl-sbl

Fourteen out of the top 30 most rejected IP addresses were rejected more than 100 times; the champion is of course 218.254.83.47 (622 times before it wound up back in the kernel IP filters), with 218.62.89.61 next (265 times, for not having any reverse DNS and being in a pile of DNSBls). 19 of the top 30 are currently in the CBS, and seven are currently in bl.spamcop.net.

Hotmail has probably improved compared to last week; the numbers are:

• 2 messages accepted.
• 3 messages rejected because they came from non-Hotmail email addresses.
• 5 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address being in the CBL.

This is less overall spam than last week, but a more diverse set of reasons for it being rejected.

And the last set of numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	462	64	597	48
Bad bounces	18	16	30	26

Unlike last week, there's nothing from btconnect.com; either they've stopped mailing us for now or they've fixed the problem (I know which option I'm betting on).

The most frequent target of bad bounces was the 38-digit hex string from before, at 5 bounces (all from Demon Internet machines). Apart from that it was almost all to usernames here that used to exist, apart from one to costauvqaagmlp and one to d45hvwejzd.

Weekly spam summary on May 20th, 2006

This week we:

• got 12,292 messages from 221 different IP addresses.
• handled 16,875 sessions from 807 different IP addresses.
• received 125,999 connections from at least 41,642 different IP addresses.
• hit a highwater of 11 connections being checked at once.

Nothing went wrong this week, thank goodness; no reboots, no SMTP frontend restarts, nothing. Weekly volume seems to be back to the normal level when things are quiet; there's no sign of last week's Sunday spike. The per-day statistics are sufficiently boring and flat (peaking at 20,000 connections on Wednesday) that I'm not going to put them in.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
218.254.83.47         11876    570K
67.42.71.124           4672    224K
212.216.176.0/24       4390    219K
61.128.0.0/10          3781    190K
66.58.176.187          2925    149K
218.0.0.0/11           2583    131K
220.160.0.0/11         2449    122K
219.128.0.0/12         2069    104K
72.244.167.83          2027   94761
221.216.0.0/13         1909   94116

This is very similar to last week's numbers, down to the first place finisher.

• 218.254.83.47 returns from last week.
• 67.42.71.124 is on the DSBL.
• 66.58.176.187 and 72.244.167.83 are both 'dialup' machines as far as we can tell from their generic DNS names.

Connection time rejection stats:

  35861 total
  17407 dynamic IP
  14992 bad or no reverse DNS
   2390 class bl-cbl
    278 class bl-dsbl
    135 class bl-sdul
     81 class bl-njabl
     69 class bl-sbl
     63 class bl-ordb

Out of curiosity, I took a look at the SBL rejections; the results are kind of depressing. The 69 rejections were of 13 different IP addresses; only two IP addresses (5 rejections total) were not listed for being advance fee fraud sources.

Twelve out of the top 30 most rejected IP addresses were rejected more than 100 times; the top rejection source was our friend 218.254.83.47 (497 times before it was re-blocked at the kernel level). 26 of the top 30 most rejected IP addresses are currently in the CBL; six of them are currently in bl.spamcop.net.

Hotmail is backsliding; perhaps I should be surprised. This week's stats:

• 1 message accepted, which was spam (I know, because I got it).
• 1 message rejected because it came from a non-Hotmail email address.
• 10 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 1 message refused due to its origin IP address being in the CBL.

The last set of numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	597	48	448	49
Bad bounces	30	26	10	10

Oh well, so much for not getting very many bounces. (I suppose this still qualifies by other people's standards). As with last week, (just) over half the bad HELOs came from 213.123.26.0/24, btconnect.com's outgoing SMTP server pool. The odds of this changing any time soon seems low.

The future of spam is advance fee fraud

These days I get very little spam, and what I do get is almost all phish email, stock touting, and advance fee fraud. Partly I'm lucky, but partly I've spent quite a lot of time working on our spam filters.

A lot of spam has relatively distinct characteristics that make it easy to filter. For example, there's a limit to how obfuscated spammers can make URLs and still have people visit their websites, and there's only so many places that will host spammer websites (or spammer DNS servers). While phish spam uses URLs, it uses stolen webservice so the websites are all over.

Another way to look at it is that none of these three forms of spam are pushing a service; instead, all of them are trying to persuade people of something (even phish spam, which is trying to persuade you to visit a website and enter your account information). When all the spammers need to do is persuade you, they have a huge flexibility in their messages.

Phish spam and stock touting do have one thing we can look for: identical copies tend to be sent to lots of people, because the spammers use compromised machines and other mass sending techniques. Software like the DCC can detect this, and so offers hope of reliably filtering them out. However, a lot of advance fee fraud is remarkably low-tech; it's written and sent by hand through free webmail services, by people who have nothing better to do than troll for suckers. Even the DCC can't help against that.

And that's why I believe the future of spam is advance fee fraud, because I can't see a good way to reliably filter it out.

The corollary is that free webmail is almost certainly doomed, because no security precaution can reliably distinguish good humans from bad ones. Most email you'll get from random free webmail providers will be advance fee fraud spam, which gives people very little incentive to accept email from said random free webmail providers.

Weekly spam summary on May 13th, 2006

Unfortunately, the SMTP frontend died shortly after midnight on Tuesday morning, so some of the connection statistics are missing about 2.6 days. Given that, this week we:

• got 11,652 messages from 229 different IP addresses.
• handled 16,296 sessions from 808 different IP addresses.
• received 110,313 connections from at least 35,408 different IP addresses since early Tuesday morning.
• hit a highwater of 11 connections being checked at once since early Tuesday morning.

At the Monday morning volume timestamp, we had received 210,731 connections from at least 7,733 different IP addresses; from this I suspect that that spam storm from Saturday of last week continued full-bore on last Sunday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
218.254.83.47         13422    644K
212.216.176.0/24       6112    305K
209.91.186.139         4554    273K
61.128.0.0/10          3484    173K
68.147.8.249           3397    163K
221.216.0.0/13         3047    151K
218.0.0.0/11           2692    137K
220.160.0.0/11         2358    118K
74.0.215.4             2309    117K
68.167.80.52           2132   99671

Overall, this is a bit more active than last week, but it's mostly driven up by a few people; there seems to have been no overall volume surge.

• 218.254.83.47 is a Hong Kong cablemodem, and was mentioned in passing last week.
• 209.91.186.139 is in the CBL. (And Canadian, alas.)
• 68.147.8.249 in in a Shaw Cable SPEWS listing. I've actually seen it in log summaries for previous weeks (although never high enough to get in this report), and it has a good looking DNS name, and it's not listed anywhere else, so I am going to whitelist it and see what happens.
• 74.0.215.4 is a covad.net 'dialup' machine.
• 68.167.80.52 returns from this April; we consider it a dialup machine, and it's also in bl.spamcop.net and the DSBL.

Connection time rejection stats:

  40201 total
  19942 dynamic IP
  16960 bad or no reverse DNS
   2033 class bl-cbl
    233 class bl-spews
    119 class bl-sdul
    118 class bl-dsbl
     83 class bl-sbl
     49 class bl-ordb
     19 class bl-njabl
      3 class bl-opm

Although this looks down from last week, the details make Sunday's spam storm pop out. All 30 of the top 30 most rejected IP addresses were rejected more than 100 times; the most active one was our friend 218.254.83.47, with 619. 27 of the top 30 are currently in the CBL, 4 are currently in bl.spamcop.net, and 222.252.50.91 (123 rejections) is in SBL39408.

SBL39408 is one of those depressing SBL listings; it is for 222.252.0.0/15, which belongs to Vietnam Posts and Telecommunications Corp (VNN.VN). Created April 10th 2006, the two /16 halves of it are apparently the current worst and second worst /16 spam source networks on the Internet. Somehow I suspect that they are going to retain that status for a while.

Hotmail is doing much better this week:

• one message accepted.
• 4 messages rejected because they came from non-Hotmail email addresses (all from various non-US Hotmail domains; I really have to improve that check).
• no messages sent to spamtraps, refused because the sender had already hit spamtraps, or rejected because of their originating IP address.

I'm willing to tentatively declare that Hotmail has fixed their problem. Besides, as far as I can tell the problem free webmail provider is now Yahoo; I am getting significant advance fee fraud spam through Yahoo from a spam gang that they haven't stopped. (The situation is bad enough that I have started blocking non-US Yahoo operations as they spam us.)

The final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	448	49	405	46
Bad bounces	10	10	8	7

More than half (244 out of 448) of the bad HELOs came from btconnect.com's pool of SMTP senders in 213.123.26.0/24, which HELO with names like 'hesa05uker.he.local' (sometimes capitalized). The pattern for usernames in the bad bounces is fairly similar to last week, including another bounce to that 38-character hex sequence (but from a different domain).

Weekly spam summary on May 6th, 2006

This week, we:

• got 11,443 messages from 213 different IP addresses.
• handled 15,802 sessions from 820 different IP addresses.
• received 219,841 connections from at least 43,156 different IP addresses.
• hit a highwater of 50 connections being checked at once, reaching it Monday.

Connection volume is up significantly from the extrapolated levels of last week. All of this is despite us being down for about half of Sunday, due to a drive failure and needing to fix it. The per day table is very interesting, though:

Day	Connections	different IPs
Sunday	6,518	+2,602
Monday	22,737	+6,621
Tuesday	19,300	+6,684
Wednesday	23,372	+6,488
Thursday	22,592	+5,987
Friday	22,169	+8,218
Saturday	103,153	+6,556

You can see the Sunday effects, and I have nothing to say about this Saturday except AIEEE. I rather suspect that there is a major spam storm going on at the moment.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
218.189.207.71         6045    290K
212.216.176.0/24       5433    268K
213.253.210.34         4274    205K
213.178.230.131        3284    158K
61.128.0.0/10          2748    136K
222.32.0.0/11          2392    124K
67.138.83.190          2241    108K
213.250.36.13          2193    105K
199.195.71.42          2166    110K
218.0.0.0/11           2045    104K

It's pretty much the week of DNS blocklists:

• 218.189.207.71 is a Hong Kong IP address with bad reverse DNS.
• 213.253.210.34 is in the DSBL.
• 213.178.230.131 and 213.250.36.13 are in the ORDB.
• 67.138.83.190 is in NJABL.
• 199.195.71.42 kept hammering on us after attempting delivery to a spamtrap; I suspect it's phish spam from the MAIL FROM address.

(The usual difference is that advance fee fraud spam exploits badly administered webmail systems and so has MAIL FROM addresses that look like individual user names, whereas phish spam exploits insecure web servers and thus has MAIL FROM addresses with usernames like httpd, apache, root, nobody, test, and so on.)

Connection time rejection stats:

  41638 total
  19232 dynamic IP
  18044 bad or no reverse DNS
   2279 class bl-cbl
    481 class bl-njabl
    409 class bl-ordb
    255 class bl-spews
    167 class bl-dsbl
     48 class bl-sdul
     28 class bl-sbl
      3 class bl-opm

In completely unsurprising news (given the spam storm), 24 of the top 30 most rejected IP addresses were rejected more than 100 times; the champion was 218.254.83.47 with 259 rejected connections. 23 of the top 30 are currently in the CBL and 13 of them are currently in bl.spamcop.net.

The Hotmail numbers are at pretty much an all-time low, although they still collect one black eye:

• No messages accepted.
• No messages rejected because they came from non-Hotmail email addresses.
• 3 messages sent to our spamtraps.
• No messages refused because their sender addresses had already hit our spamtraps.
• 1 message refused due to its origin IP address being in SBL17935, listed since January 17th, 2006.

Of course Hotmail is still batting zero since no real Hotmail people actually sent us email this week, but at least they're not swinging very much.

And the final set of numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	405	46	346	40
Bad bounces	8	7	29	23

On the bad HELOs front, the most active source was 205.150.71.250, with 100 tries; the next was 217.197.167.34 with only 57. The bad bounces number is completely surprising; at this level, I can actually look at each session. While some of the bounces are to completely bogus user names, some are to what are now spamtrap addresses here. I don't know what this means; have spammers started mining their target lists for MAIL FROMs?

The user name patterns for the bad bounces:

• last week saw 4 each to id and noreply, 11 more between four spamtraps, then one each to a mix of spamtraps, random sequences like c301ymxlp, and some entirely numeric user names like 72.
• this week saw 2 to costauvqaagmlp, 4 to spamtraps, one to entranceway, and one to the 38-character hex sequence 8B407639D45C5742ADD3987F7E013C410F82BC.

Conclusion: spammers are strange.