Wandering Thoughts archives

Weekly spam summary on July 29th, 2006

This week, we:

• got 12,284 messages from 218 different IP addresses.
• handled 17,177 sessions from 899 different IP addresses.
• received 152,193 connections from at least 48,479 different IP addresses.
• hit a highwater of 7 connections being checked at once.

Most of these are up somewhat from last week, although they're within the levels that I've come to think of as 'normal variation'. The day to day figures were quite variable:

Day	Connections	different IPs
Sunday	15,872	+6,909
Monday	22,221	+6,672
Tuesday	26,190	+7,950
Wednesday	22,421	+6,288
Thursday	23,553	+7,173
Friday	26,121	+8,609
Saturday	15,815	+4,878

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12           7102    369K
212.216.176.0/24       5702    287K
81.88.225.210          4275    235K
62.212.90.203          3960    195K
61.128.0.0/10          3900    197K
64.71.176.237          3685    221K
220.160.0.0/11         2800    140K
218.0.0.0/11           2529    126K
213.0.31.4             2496    120K
210.54.141.0/24        2395    115K

This is more or less around the expected levels.

• 213.4.149.12 and 81.88.225.210 reappear from last week.
• 62.212.90.203 has inconsistent reverse DNS, and we don't accept that from its network area. (It's also currently in bl.spamcop.net.)
• 64.71.176.237 tried to keep sending stuff with a MAIL FROM that had tripped our spamtraps.
• 213.0.31.4 uses a bad HELO name. Since that's Telefonica IP space and it has no reverse DNS, next week it will be banned for that.
• 210.54.141.0/24 is xtra.co.nz outgoing mail machines, which tried to keep sending stuff with a MAIL FROM that had tripped our spamtraps. Given that the username of the MAIL FROM is 'uk_winner', I think I can safely chalk up yet another badly managed webmail system.

Connection time rejection stats:

  38282 total
  19078 dynamic IP
  15363 bad or no reverse DNS
   2583 class bl-cbl
    246 class bl-njabl
    165 class bl-sdul
    123 mailup.info
     80 class bl-sbl
     67 class bl-dsbl
     33 class bl-spews
     27 class bl-ordb

Out of the top 30 most rejected IP addresses, 7 were rejected more than 100 times; the champion is 82.89.202.5 (an interbusiness.it IP address) with 419 rejections. 18 of the top 30 are currently in the CBL and six are currently in bl.spamcop.net.

Hotmail's numbers got worse this week:

• no messages accepted.
• 11 messages rejected because they came from non-Hotmail email addresses.
• 15 messages sent to our spamtraps.
• 5 messages refused because their sender addresses had already hit our spamtraps.
• 1 messages refused due to its origin IP address being a telkom.co.za IP address.

All of the 'non-Hotmail' addresses rejected were from either msn.com or one of the non-US Hotmail domains. However, almost all of the usernames are typical of advance fee fraud spam usernames (things like 'britishinternational_lottery04' and 'dr_charis_adam13'), so I don't think we're missing much.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	528	44	307	45
Bad bounces	38	26	38	34

The leading bad HELO source is 213.129.201.64, with 135 rejections.

In a surprise, this week we got no bounces to any of the three 38-character hex strings. We did get bounces to all of the other usual suspects, with the most-hit username being 'noreply' (5 bounces).

Weekly spam summary on July 22nd, 2006

We rebooted this server Monday around 6:50pm, so a number of the stats are truncated this week. Having said that, this week, we:

• got 11,369 messages from 257 different IP addresses.
• handled 15,931 sessions from 851 different IP addresses.
• received 87,698 connections from at least 31,657 different IP addresses since Monday evening.
• hit a highwater of 6 connections being checked at once since Monday evening.

It appears as if this week's connection volume is down significantly from last week. I have no particularly good explanation why, but I like it.

Kernel level packet filtering top ten since Monday evening:

Host/Mask           Packets   Bytes
213.4.149.12           9132    475K
81.88.225.210          7796    428K
218.0.0.0/11           6990    340K
212.216.176.0/24       4960    248K
210.54.141.0/24        4303    207K
61.128.0.0/10          3196    168K
129.206.210.211        2969    129K
72.244.103.210         2488    116K
128.121.94.189         2318    114K
204.181.35.187         2145    109K

• 213.4.149.12 returns from last week.
• 81.88.225.210 is mailupnet.it aka mailup.info aka people we have no interest in ever accepting email from again.
• 129.206.210.211 and 128.121.94.189 both hit our spamtraps and kept on sending, likely with phish spam in both cases.
• 72.244.103.210 is something we consider a covad.net 'dialup' machine.
• 204.181.35.187 is on the NJABL.

Connection time rejection stats, from Monday evening:

  27275 total
  11820 dynamic IP
  11820 bad or no reverse DNS
   1696 class bl-cbl
    591 mailup.info
    243 class bl-njabl
    207 dartmail.net
    118 class bl-sdul
    108 class bl-dsbl
     92 class bl-sbl
     58 class bl-spews
     42 class bl-ordb

Five of the top 30 most rejected IP addresses were rejected more than 100 times; the winner is 81.88.225.210, rejected 591 times. 13 of the top 30 are currently in the CBL, six are currently in bl.spamcop.net, and one, 213.154.94.190, is in the SBL as part of SBL21129. It's an advance fee fraud spam source, of course.

Hotmail is backsliding. This week, it had:

• no messages accepted.
• 2 messages rejected because they came from non-Hotmail email addresses.
• 14 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 3 messages refused due to their origin IP address being in the SBL. All three came from 66.178.40.27, in SBL27471, which has been listed since February 7th. Worse, the SBL page shows evidence of spam through Hotmail as far back as September 10th 2005.

I especially displeased by the 'rejected for being in the SBL' messages.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	307	45	1422	70
Bad bounces	38	34	127	108

I'm pleased to see this drop; evidently last week was just exceptional.

For the first time in a while, none of the various 38-character hex strings got any bounces. Instead, everything went to all of the other usual suspects.

(I am short on sleep, so this summary is more uninspired than usual.)

Weekly spam summary on July 15th, 2006

This week, we:

• got 12,289 messages from 220 different IP addresses.
• handled 18,265 sessions from 954 different IP addresses.
• received 143,889 connections from at least 48,413 different IP addresses.
• hit a highwater of 14 connections being checked at once.

Session volume is up slightly from last week, but everything else is down. The per day table is relatively boring, so I'm omitting it this week.

Kernel level packet filtering top eleven:

Host/Mask           Packets   Bytes
209.216.205.162       16293    717K
210.245.161.90        12190    731K
218.0.0.0/11           7848    383K
213.4.149.12           7830    407K
61.128.0.0/10          4919    257K
212.216.176.0/24       4779    244K
195.39.69.48           4509    271K
62.149.158.91          4142    249K
220.160.0.0/11         3573    176K
66.193.15.20           3119    187K
218.254.82.97          3111    149K

The bottom of the top eleven is about the same volume as last week, but the top end is much higher.

• 209.216.205.162 kept trying to send email from an email address that had hit a spamtrap.
• 210.245.161.90 is a Hong Kong IP address with no reverse DNS, and is also in the CBL.
• 213.4.149.12 returns from last week, still with a bad HELO.
• 195.39.69.48 is a Czech IP address with no reverse DNS (and is in spam.dnsbl.sorbs.net).
• 62.149.158.91 is an aruba.it webmail machine; we now refuse all of them afte too much spam from aruba.it.
• 66.193.15.20 kept trying to send email from an email address that had already hit a spamtrap, in this case 'women@city.localevents.com'.
• our old friend 218.254.82.97 from last week and before is at #11, just barely failing to make the top ten list, but I included it anyways.

I'm not too happy with 'city.localevents.com', as this is the second time they've hit our spamtraps with something (both times from 66.193.15.20). They may get banned entirely if this happens again.

Connection time rejection stats:

  40160 total
  18979 dynamic IP
  16601 bad or no reverse DNS
   2767 class bl-cbl
    520 class bl-njabl
    172 class bl-ordb
    152 class bl-dsbl
    133 class bl-sbl
    127 class bl-sdul
     40 class bl-spews

The top three are down significantly from last week, but the other numbers haven't budged much (the CBL rejections are even up slightly).

Eighteen of the top 30 most rejected IP addresses were rejected more than 100 times, with 84.229.4.87 the winner at 307 rejections. 203.197.246.51 (245 rejections) and 82.232.29.56 (222 rejections) collect second and third place. 20 of the top 30 are currently in the CBL and 5 are currently in bl.spamcop.net.

Hotmail had a so-so week:

• 1 message accepted.
• 2 messages rejected because they came from non-Hotmail email addresses.
• 10 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• no messages refused due to their origin IP address

As with last week, Hotmail continues to have spammers but they keep mailing our spamtraps instead of our real users. I suppose this is better than the alternative, and I have to admit that the volume stats are down a lot from the heights of the problem.

And the closing numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1422	70	608	56
Bad bounces	127	108	88	62

Leading contributors to the bad HELOs are 209.97.195.183 (356 rejections), 212.122.235.35 (172), 62.42.227.11 (89), and 212.150.140.50 (83), but there's no really big point source for the big HELO jump.

Bad bounces went to a lot of usernames this week, most of them clearly made up by spammers (mostly in a pattern of letters with a few digits at the end). But the leading username for bounces was 'books' (12 times), there were some bounces to long since dead accounts, one bounce to '35', and two bounces to one of the 38-character hex strings and one bounce to another one.

Those hex strings really make me wonder. Oh well, spammers are peculiar.

A suggestion for people with 'Out of Office' autoreplies

Speaking from personal experience: never, ever set up an out of office autoreply that sends email to the From: address of incoming email. Never. Or if you must do this, unsubscribe from all of the mailing lists you're on first.

If you fail to do this, the users of the mailing lists you are on will kill you. And shortly afterward, the managers of the mailing lists you are on will drop you with extreme prejudice, because the last thing we want is for the active users to get slapped with garbage mail as a result of posting to our mailing lists.

Bonus points are awarded for autoreplies that happen every time, not just once for each address.

Unfortunately, it seems that it's popular to get this wrong. Possibly there's too much software out there that doesn't make the envelope headers available to autoreply agents.

(Out of office autoreplies to mailing list messages are annoying even when they just go to the administrative addresses, but that's tolerable; mailing list managers are to some extent signing up for dealing with crud, and your autoreply is at least only bugging one person. I'll tolerate stuff that merely annoys me, but I draw the line with extreme prejudice when you're annoying my users.)

Weekly spam summary on July 8th, 2006

This week, we:

• got 13,932 messages from 204 different IP addresses.
• handled 17,417 sessions from 865 different IP addresses.
• received 161,727 connections from at least 52,444 different IP addresses.
• hit a highwater of 50 connections being checked at once (hit on Friday).

This is about the same as last week, allowing for random variation. The per day table is mostly but not entirely flat, so I'm going to include it:

Day	Connections	different IPs
Sunday	20,708	+8,590
Monday	24,100	+6,710
Tuesday	23,664	+7,986
Wednesday	27,001	+9,007
Thursday	22,281	+6,807
Friday	25,757	+7,995
Saturday	18,216	+5,349

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
218.0.0.0/11           9919    485K
61.128.0.0/10          7007    367K
213.4.149.12           6328    329K
69.64.10.246           5037    235K
217.13.17.73           4932    237K
218.254.82.97          4189    201K
62.2.90.42             4155    201K
212.216.176.0/24       4030    203K
217.57.24.82           3774    181K
220.160.0.0/11         3680    182K

Volume is down from last week, only partly because the two big point sources went away, and this week the top two spots are claimed by Chinese netblocks instead of individual IP addresses.

• 213.4.149.12 returns from last week, still with a bad HELO name.
• 217.13.17.73 and 217.57.24.82 also have bad HELO names.
• 69.64.10.246 was listed in the NJABL (but no longer is).
• 218.254.82.97, a very active hkcable.com.hk cablemodem, returns from last week.
• 62.2.90.42 is listed in the SORBS DUL list (and is currently in bl.spamcop.net).

Connection time rejection stats:

  55159 total
  29576 dynamic IP
  21628 bad or no reverse DNS
   2631 class bl-cbl
    230 class bl-njabl
    154 class bl-sdul
    135 class bl-spews
    124 class bl-sbl
     87 class bl-dsbl
     10 class bl-ordb

This is a striking jump up from last week for only a relatively moderate increase in overall connection volume. I suspect that spammers may be having their zombies get more persistent to overcome greylisting; oh well, very little lasts forever in the antispam world.

All 30 of the 30 most rejected IP addresses were rejected more than a hundred times; the champion is 218.254.82.97, with 1247 rejections, and with this latest episode it's now earned a permanent place in our kernel IP filters. 27 of the 30 are currently in the CBL, and six are in bl.spamcop.net.

Hotmail had a so-so week, and I've discovered that some of my past stats around the start of each month may have been inaccurate. This week's numbers:

• no messages accepted.
• 4 messages rejected because they came from non-Hotmail email addresses.
• 14 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• no messages refused due to their origin IP address.

That's a lot of mail to our spamtraps, and I'm not too happy about it. Hotmail may be stopping spammers relatively fast, but it's clearly letting them send some spam to start with.

And the closing numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	608	56	193	45
Bad bounces	88	62	23	18

Both of these are up significantly from last week, and I suspect that it's the same root cause: spammers are forging us on their spam more actively. There is no single source of bad HELOs that stands out a lot (the winner is 198.145.214.166 aka 'pascor01.Pascor.local', but with only 85 rejections).

This week sees a new 38-character hex digit appear in the bad bounces, 8B407639D45C5742ADD3987F7E013C41178B66. Apart from that, there's a lot more variety this week, with 54 different usernames ranging from long-dead accounts to plausible accounts to random alphanumeric sequences like 'zfqbxbgm330'; the random alphanumerics are the predominant group. Interesting, the only all-digit username this week was '0'.

Weekly spam summary on July 1st, 2006

This week, we:

• got 14,343 messages from 220 different IP addresses.
• handled 18,078 sessions from 864 different IP addresses.
• received 140,437 connections from at least 48,849 different IP addresses.
• hit a highwater of 50 connections being checked at once (hit on Tuesday).

Unlike last week, we don't seem to have been hit with any particular spam fireworks for this Canada Day; volume is down, although not quite reaching what I consider an ordinary baseline these days. Per day:

Day	Connections	different IPs
Sunday	20,286	+8,834
Monday	26,389	+9,037
Tuesday	26,853	+9,416
Wednesday	17,032	+5,459
Thursday	20,850	+6,415
Friday	17,985	+6,091
Saturday	11,042	+3,597

People clearly poked us more than usual on Monday and Tuesday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
204.202.15.55         38386   1894K
204.202.252.105       12076    596K
213.4.149.12           9045    470K
218.0.0.0/11           7052    349K
218.254.82.97          6696    321K
204.202.22.191         6303    311K
61.128.0.0/10          6228    315K
212.216.176.0/24       5260    268K
199.239.233.177        4972    245K
220.160.0.0/11         4250    215K

I believe we have a new champion for persistence here, and things are overall up from last week.

• 204.202.15.55, 204.202.252.105, and 204.202.22.191 tried to send us phish spam. Evidently a lot of phish spam.
• 199.239.233.177 returns from last week, still shoveling the phish spam at us.
• 213.4.149.12 is a terra.es machine with a bad HELO name. terra.es used to make these summaries on a regular basis (most recently here), but hasn't popped up in a while.
• 218.254.82.97 returns from last week, still a hkcable.com.hk cablemodem.

Given this pattern, I have to wonder if some phish spammer is doing a mass scan of 204.202/16 looking for vulnerable systems to exploit. All three machines appear to be running 'Sendmail 8.13.6.20060614/8.13.1' on FreeBSD/i386 (and all three have telnet open).

Connection time rejection stats:

  42233 total
  19515 bad or no reverse DNS
  18590 dynamic IP
   2549 class bl-cbl
    170 class bl-sdul
    153 class bl-dsbl
    101 class bl-njabl
     93 class bl-ordb
     84 class bl-sbl
     46 class bl-spews

Oddly the total rejections are up from last week (along with the usual suspects of the top three individual reasons), despite overall connections being down.

Fifteen of the top 30 most rejected IP addresses were rejected more than 100 times, with the top one being 221.215.146.150 (217 times, for having no reverse DNS). 22 of the top 30 are currently in the CBL and five are currently listed in bl.spamcop.net.

Hotmail is even quieter this week:

• no messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 5 messages sent to our spamtraps.
• 1 message refused because its sender address had already hit our spamtraps.
• no messages refused due to their origin IP address.

Of course, this is still six to nothing against Hotmail; whatever spam filtering they're doing is certainly not even close to 100% yet. (Especially given the one that was refused because it had already hit our spamtraps, since that shows that a spammer was able to keep on using Hotmail to spam more than once.)

And the closing numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	193	45	420	48
Bad bounces	23	18	18	17

Bad HELOs are nicely down this week (despite the terra.es machine, which illustrates the danger of reading too much into these numbers since they can fluctuate depending on when exactly I hurl people into the kernel level blocks). Ironically, some of the most active bad HELOs are misconfigured internal machines here.

Almost all of the bad bounces this week are to old usernames that used to exist here (or things that look enough like it to fool my memory about our old logins). There's three bounces to noreply, two bounces to the first 38-character hex string and one to 88.