Wandering Thoughts archives

Weekly spam summary on August 26th, 2006

Unfortunately, the SMTP listener was terminated for some reason Friday at 1pm, so some of the weekly stats are going to be way off. But having said that, there are some alarming numbers this week:

• got 12,863 messages from 215 different IP addresses.
• handled 19,196 sessions from 1,271 different IP addresses.
• received 201,196 connections from at least 9,670 different IP addresses since Friday at 1pm.
• hit a highwater of 5 connections being checked at once.

As of early Friday morning, we had had 118,411 connections from at least 35,756 different IP addresses, which would have put us more or less on course to be around last week apart from the surge. The surge has happened today, with 186,583 connections so far; evidently there is a spam storm on. Again.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
80.65.49.38           16707   1002K
218.0.0.0/11          15778    760K
203.98.72.39          10802    549K
213.4.149.12           9769    508K
200.68.120.76          4083    245K
61.128.0.0/10          3648    193K
216.240.128.98         3564    181K
221.186.189.8          3184    162K
212.216.176.0/24       3178    158K
203.250.131.121        2400    144K

Overall this is up significantly from last week, with three sources over 10,000 packets and one pretty close to it.

• 80.65.49.38 returns from last week, but this time around we blocked it for having bad reverse DNS. It's probably still trying to send us spam, though.
• 203.98.72.39, 200.68.120.76, and 221.186.189.8 have bad or missing reverse DNS.
• 213.4.149.12 returns from last week and many previous weeks. The people at terra.es are nothing if not persistent with their bad HELO names.
• 216.240.128.98 is on the CBL, as well as various other places.
• 203.250.131.121 kept trying to send us mail from an address that had already mailed our spamtraps.

Connection time rejection stats:

  35854 total
  17979 dynamic IP
  14529 bad or no reverse DNS
   2055 class bl-cbl
    355 class bl-dsbl
    159 class bl-sbl
    149 class bl-sdul
    147 class bl-njabl
     68 class bl-spews
     64 class bl-ordb

Six of the top 30 most rejected IP addresses were rejected 100 times or more, with the winner being 66.127.96.194 (197 times, for being a PacBell DSL line, and it's also in the CBL). 21 of the top 30 are currently in the CBL, 8 are currently in bl.spamcop.net, and one is in the SBL.

If you guess that the SBL-listed IP address belongs to 'Cutting Edge Media', just like the last two weeks, you win a modest No-Prize. This week it was 208.32.133.156 that made the list, still part of SBL45150, and the other IP addresses seem to have given up.

The top six SBL listings by rejections, with commentary:

Count	Listing	Notes
67	SBL45150	Cutting Edge Media
24	SBL45512	Oh the embarrassment; this spam server farm is based in Toronto
15	SBL43698	Part of Wanadoo Jordan. There's Wanadoo again. (See last week.)
14	SBL44886	Listed for being a phish site (in July). Apparently it sends email too.
11	SBL44142	Brazilian spam source.
10	SBL21868	Advance fee fraud from a Brazilian webmail place.

For all that I harsh on various foreign countries for being heavy spam sources, it's worth noting that the top two SBL rejection sources are North American.

(I'm Canadian, so I get to not count the US as a 'foreign country' in things like this.)

As expected, Hotmail's numbers have shifted this week:

• 6 messages accepted, at least one of which was spam.
• No messages rejected because they came from non-Hotmail email addresses.
• 42 messages sent to our spamtraps.
• 33 messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one for being from Telkom SA/SAIX, one for being from Ghana Telcom).

This is a dramatic jump from last week's numbers, and I am hoping that this is not the start of a trend.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1557	110	610	54
Bad bounces	322	284	34	33

Evidence suggests that spammers have been forging various University of Toronto domains as the origin address of their spam a lot this past week. No particular source of bad HELO names stands out a lot, and almost all of the bad bounces were to random alphabet soup usernames that got one bounce per username.

How not to get our business

From email sent to the University of Toronto's InterNIC WHOIS contact email address recently, from one vals@capris.com:

Good evening,

Our site monitoring software has alerted us that someone from your organization was doing a search on Google.ca for "Toronto collocation" and you visited our site, [deleted].

I was just wondering if your search was successful and if we can help you with your current or future hosting or collocation needs?

[...]

Val Slastnikov
Director, Strategic Alliances

The Capris Group

Yes, certainly, the best way to persuade people at the University of Toronto to do business with you is to spam them. And it definitely looks clueful to ask the InterNIC WHOIS contact for an organization with, oh, 60,000 people or so using its network if some random search was successful. And finally there is the chutzpah of offering hosting and colocation services to one of Canada's largest universities.

(I am assuming, generously, that there was a real search. I am an optimist. Also, I'm sure that this is more or less automated spam, so that no thinking human being ever looked at who it was being sent to. Which is yet another way to impress us with your attention to detail, or lack thereof.)

Unfortunately they have their own ASN and /22 (204.10.240.0/22, AS 33162, which is also where the email came from), so I suspect that my request to their upstream route to do something about this is going to be ignored. (But then, this is nothing new.)

Weekly spam summary on August 29th, 2006

The SMTP listener crashed and was restarted around Wednesday at 2am, so some of the statistics are short this week. That said, this week we:

• got 12,378 messages from 234 different IP addresses.
• handled 17,251 sessions from 822 different IP addresses.
• received 87,872 connections from at least 29,223 different IP addresses since Wednesday at 2am.
• hit a highwater of 6 connections being checked at once, since Wednesday at 2am.

It looks like we had around 140,000 connections this week in total, which is up from last week. The other volume stats are about the same.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          18633    969K
80.65.49.38            7820    469K
218.0.0.0/11           5254    256K
64.75.176.18           4974    253K
61.128.0.0/10          4500    230K
196.15.9.55            3420    150K
72.244.103.210         2765    129K
220.160.0.0/11         2096    105K
82.127.59.99           2073   99504
193.252.22.158         2059    124K

• 213.4.149.12 is our poster spike baby, jumping into clear first place this week after only coming in second last week.
• 80.65.49.38 and 64.75.176.18 kept trying to send us stuff that had already hit our spamtraps.
• 196.15.9.55 had bad reverse DNS (it's also currently in SORBS).
• 72.244.103.210 is a Covad machine we consider to be a 'dialup', seen before back in July. Evidence suggests that it would have also been rejected for a bad HELO name.
• 82.127.59.99 is a Wanadoo France dialup. The heat death of the universe will happen before we talk to them.
• 193.252.22.158 is smtp1.wanadoo.co.uk, and is in SPEWS as S703 because, surprise surprise, it is spewing advance fee fraud spam.

(You might suspect that I have a low opinion of all Wanadoo properties. You would be correct.)

Connection time rejection stats:

  29928 total
  14000 dynamic IP
  12304 bad or no reverse DNS
   1492 class bl-cbl
    645 class bl-njabl
    229 class bl-spews
    211 class bl-sbl
    205 class bl-sdul
    173 class bl-ordb
    114 class bl-dsbl

This is down somewhat from last week.

Six out of the top 30 most rejected IP addresses this week were rejected 100 times or more, with the champion being 196.15.9.55 (360 times). 16 of the top 30 are currently in the CBL, 11 are currently in bl.spamcop.net, and two are in the SBL.

The SBL sources are the same as last week: 208.32.133.155 and 208.32.133.156, our friends 'Cutting Edge Media', SBL45150. Between the two of them they accounted for just over half of the SBL hits this week. Personally, I am hoping that they go away soon.

Hotmail is not making me any happier this week:

• 6 messages accepted, at least three of which were spam.
• 7 messages rejected because they came from non-Hotmail email addresses.
• 13 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 1 message refused due to its origin IP address being a SAIX/Telkom SA DSL line.

Next week will likely see a drastic reduction in the 'non-Hotmail email addresses' category but an equivalent increase elsewhere, since I have just decided to accept hotmail.fr and hotmail.co.uk email from Hotmail's mail servers. (I may regret this.)

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	610	54	301	44
Bad bounces	34	33	25	23

Unfortunately the biggest source of bad HELO names this week was a University of Toronto machine that I may need to hunt down and get fixed.

Bad bounces went to 23 different usernames this week, in the usual variety: some old ones, some vaguely plausible usernames, and some random alphanumeric jumbles.

Weekly spam summary on August 12th, 2006

This week, we:

• got 12,152 messages from 212 different IP addresses.
• handled 16,255 sessions from 790 different IP addresses.
• received 124,287 connections from at least 41,964 different IP addresses.
• hit a highwater of 6 connections being checked at once.

This is down from last week. I don't expect it to stay that way, although I can hope that spammers take August vacations too. Speaking of vacations, the per day table is interesting this week:

Day	Connections	different IPs
Sunday	20,728	+7,446
Monday	22,408	+7,310
Tuesday	20,438	+6,516
Wednesday	18,853	+6,445
Thursday	17,164	+5,448
Friday	15,252	+5,560
Saturday	9,444	+3,239

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
204.200.222.245       10466    516K
213.4.149.12           8151    424K
204.200.195.72         7544    372K
210.245.60.162         7294    322K
217.224.0.0/13         3555    171K
62.212.90.203          3374    167K
200.46.151.14          3193    149K
61.128.0.0/10          3079    154K
80.128.0.0/12          3037    154K
195.39.69.48           2688    161K

Although the high is lower, overall this is up from last week.

• 204.200.222.245 and 204.200.195.72 got blocked for hammering on us with stuff that had already hit spamtraps, probably phish spam.
• 213.4.149.12 (bad HELO), 210.245.60.162 (bad reverse DNS), and 62.212.90.203 (bad reverse DNS) return from last week.
• 200.46.151.14 is an IP address in Panama without reverse DNS.

Connection time rejection stats:

  31230 total
  13988 bad or no reverse DNS
  13858 dynamic IP
   2242 class bl-cbl
    204 class bl-njabl
    147 class bl-sbl
    141 class bl-sdul
     95 class bl-dsbl
     77 class bl-ordb
     18 class bl-spews

I am starting to get curious about why the NJABL is such a consistent good performer for us. (Admittedly it is not by much compared to the CBL, but still.)

Only three out of the top 30 most rejected IP addresses were refused more than 100 times this week; the winner is 69.244.42.28 (135 rejections, a Comcast cablemodem that is on a lot of DNSbls). 24 of the top 30 are currently in the CBL, 8 are currently in bl.spamcop.net, and one is in the SBL.

The one in the SBL appears to be a genuine spammer: 208.32.133.155, 'Cutting Edge Media', SBL45150 (which lists the entire /24). It provided 61 of the SBL hits this week; the big other contributors are 194.165.130.93 (22 hits, SBL43698, caught scanning for vulnerable webforms that spammers exploit), 194.85.87.50 (13 hits, SBL41338, spam source), and 208.32.133.156 (11 hits, also Cutting Edge Media and SBL45150).

Hotmail slid right downhill this week:

• 1 message accepted, and it was almost certainly spam.
• 8 messages rejected because they came from non-Hotmail email addresses.
• 15 messages sent to our spamtraps.
• 4 messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one for being SBL42606, and 196.207.1.214 for being in the CBL (among other problems)).

I'm not impressed.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	301	44	474	42
Bad bounces	25	23	28	25

And another week closes without any bounces trying to go to those mysterious 38-character hex strings.

An unhappy spam milestone

I have to finally admit it: I have stopped complaining about spam. More precisely, I've stopped writing and sending complaints about spam to the ISPs that they come from.

This is because I've pretty much given up hoping that a complaint to the theoretically responsible ISP is at all worth my time and will produce any meaningful results. I am tired of writing more or less form letters to tell ISPs that they have yet another phish spammer, yet another clueless free webmail provider spewing advance fee fraud, yet another advance fee fraud spam dropbox, etc etc etc.

The only thing I do these days when we get spam is block the sending source, following a one strike (at most) and you're out policy.

(Especially for webmail providers, because there is no hope that that they are going to get any better than their current wretched state. Indeed, if I had a decent list of free webmail providers, I would preemptively block pretty much all of them.)

I'm sad about it. There was a day when writing spam complaints did not feel like a futile waste of time, and it was not so long ago, and I would like that Internet back.

Weekly spam summary on August 5th, 2006

This week, we:

• got 12,245 messages from 230 different IP addresses.
• handled 16,343 sessions from 801 different IP addresses.
• received 141,499 connections from at least 42,169 different IP addresses.
• hit a highwater of 7 connections being checked at once.

This is down slightly from last week. We will probably see variations in accepted messages all August, since this is both doldrums and panic time at universities. The per day figures:

Day	Connections	different IPs
Sunday	18,437	+6,800
Monday	23,100	+7,321
Tuesday	20,005	+6,048
Wednesday	19,753	+5,055
Thursday	21,940	+6,772
Friday	24,820	+6,628
Saturday	13,444	+3,545

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
203.62.232.83         14645    745K
213.4.149.12           6550    341K
210.245.60.162         5705    254K
62.212.90.203          3219    159K
220.160.0.0/11         2743    138K
212.216.176.0/24       2542    128K
61.128.0.0/10          2375    119K
213.129.201.64         2208    106K
218.0.0.0/11           2199    110K
80.128.0.0/12          2148    108K

The top is up a lot but the rest is down a bit from last week.

• 203.62.232.83 and 210.245.60.162 are APNIC IP addresses with no reverse DNS; the former in Australia, the latter in Vietnam (and on bl.spamcop.net).
• 213.4.149.12 (bad HELO), 62.212.90.203 (bad reverse DNS), and 213.129.201.64 (bad HELO) return from last week.

Connection time rejection stats:

  34294 total
  17031 dynamic IP
  13730 bad or no reverse DNS
   2243 class bl-cbl
    251 class bl-njabl
    190 class bl-sdul
    105 class bl-sbl
    102 class bl-ordb
     97 class bl-spews
     61 class bl-dsbl

Out of the 30 most rejected IP addresses, 3 were rejected more than 100 times; 66.168.202.47 (763 times, charter.com cablemodem, on the CBL et al), 210.245.60.162 (195 times), and 221.127.187.13 (129 times, Hong Kong with no reverse DNS, on the CBL et al). 16 of the top 30 are currently in the CBL, and 8 are currently in bl.spamcop.net.

Hotmail has slightly improved from last week:

• no messages accepted.
• 6 messages rejected because they came from non-Hotmail email addresses.
• 11 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• no messages refused due to their origin IP address.

As with last week, all of the 'non-Hotmail email addresses' are other Hotmail properties. While less suggestive than last week's, none of the usernames fill me with great joy and confidence that they are real people (or at least real people located somewhere besides a Nigerian cybercafe).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	474	42	528	44
Bad bounces	28	25	38	26

This week, there are no really outstanding sources of bad HELO names (and, since I have looked, no really hysterically absurd ones either).

Bad bounce destinations are much like last week, and just like last week the spammer using the 38-character hex strings seems to have stayed gone. I have to confess I sort of miss them; they injected a certain dose of surreality into the proceedings.