Wandering Thoughts archives

Weekly spam summary on September 30th, 2006

This week, we:

• got 15,751 messages from 307 different IP addresses.
• handled 19,911 sessions from 1,047 different IP addresses.
• received 154,477 connections from at least 38,870 different IP addresses.
• hit a highwater of 9 connections being checked at once.

This is all about the same level as last week, or at most down a little bit. Oddly, we show a bit of a volume jump towards the end of the week:

Day	Connections	different IPs
Sunday	18,432	+4,543
Monday	23,737	+5,895
Tuesday	21,888	+5,077
Wednesday	21,793	+5,414
Thursday	24,042	+6,914
Friday	25,216	+6,556
Saturday	19,369	+4,471

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          56881   2958K
212.130.19.148         6818    347K
193.252.22.158         4744    285K
195.130.132.54         3380    203K
213.129.201.64         3189    153K
86.7.241.201           3188    153K
80.51.32.242           3132    188K
194.165.146.156        2988    143K
218.0.0.0/11           2897    141K
213.180.130.35         2742    165K

Apart from first place, this is about the same sort of volume as last week.

• 213.4.149.12 continues its stranglehold on first place from last week.
• 212.130.19.148, 193.252.22.158, and 80.51.32.242 also return from last week.
• 195.130.132.54 did the now-usual thing of trying to keep sending us stuff that had already hit our spamtraps.
• 213.129.201.64 reappears from August, still with a bad HELO greeting.
• 86.7.241.201 is an NTL cablemodem.
• 194.165.146.156 is a 'Wanadoo Jordan' IP address with no reverse DNS (and also is in relays.ordb.org).
• 213.180.130.35 is a poczta.onet.pl machine, and we don't talk to them.

Connection time rejection stats:

  34465 total
  17779 dynamic IP
  13422 bad or no reverse DNS
   1868 class bl-cbl
    403 class bl-dsbl
    215 class bl-sdul
    153 class bl-njabl
    130 class bl-spews
     45 class bl-ordb
     23 cuttingedgemedia.com
     16 class bl-sbl

Twelve out of the top 30 most rejected IP addresses were rejected 100 times or more, with the champion being 72.66.49.214 (196 times, for being a Verizon dynamic IP). 18 of the top 30 are currently in the CBL, and 9 are currently in bl.spamcop.net; this week, none are in the SBL.

This week's Hotmail stats are reasonably good:

• 9 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 28 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• no messages refused due to their origin IP address.

Seven of the accepted messages were legitimate, but the remaining two were advance fee fraud spam (sent from 219.95.240.138, a Malaysian IP address that's probably a tm.net.my ADSL line).

(The high number of actual messages is due to the usual cause: a student-facing system had a glitch and students promptly mailed in to tell people about it.)

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	718	66	495	60
Bad bounces	127	88	60	52

I'm not really happy to see these numbers climbing, but at least they're not really bad; it's still in at the drip drip level, instead of a flood. There are no particularly big spike sources of either, although the largest single source of bounces appears to have been a spammer trying a new trick to get their messages through.

The bounces were all over, including bounces to E7D6 and 3E4B like last week, but the majority were to made-up usernames of the form <first>_<last>, where the first and last names looked like randomly chosen female-sounding Russian names; a representative example is 'violetta_mironova'.

Weekly spam summary on September 23rd, 2006

This week, we:

• got 15,623 messages from 253 different IP addresses.
• handled 19,363 sessions from 969 different IP addresses.
• received 166,319 connections from at least 46,095 different IP addresses.
• hit a highwater of 8 connections being checked at once.

This makes volume a bit up from last week. Volume fluctuates a bit during the week:

Day	Connections	different IPs
Sunday	19,635	+5,249
Monday	26,483	+7,442
Tuesday	25,539	+6,591
Wednesday	24,684	+6,159
Thursday	29,565	+9,375
Friday	24,301	+6,778
Saturday	16,112	+4,501

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          96915   5040K
193.70.192.0/24        6637    302K
193.252.22.158         4428    266K
212.130.19.148         4341    221K
194.97.50.131          4147    249K
61.128.0.0/10          3756    208K
207.44.164.58          2734    164K
80.51.32.242           2522    151K
212.175.13.129         2364    142K
194.97.50.132          2213    133K

Apart from the top IP, overall volume is down a bit from last week. Of course, that's a big 'apart from' qualification, considering that mailhost.terra.es outweighs the entire rest of the list combined.

• 213.4.149.12 may give up someday, but evidently not this week; it reappears from last week, this time due to permanent blocks.
• 193.252.22.158 is listed in SPEWS, plus it's a webmail source that we block. (It's made our lists before.)
• 212.130.19.148 and 80.51.32.242 were blocked because of missing reverse DNS; their general network areas have annoyed us enough that we insist on good rDNS as a minimum standard from them.
• 194.97.50.131 and 194.97.50.132 are freenet.de machines, blocked for trying to keep sending us spam that had hit our spamtraps. I suspect that they've fallen afoul of an advance fee fraud spam gang.
• 207.44.164.58 also kept trying to send us stuff that had tripped our spamtraps.
• 212.175.13.129 returns from earlier in September, still with a bad HELO greeting.

Connection time rejection stats:

  37577 total
  18701 dynamic IP
  14979 bad or no reverse DNS
   2252 class bl-cbl
    451 class bl-dsbl
    304 class bl-sdul
    167 class bl-njabl
    147 class bl-sbl
     92 class bl-spews
     75 cuttingedgemedia.com
     66 class bl-ordb

It's interesting that the SBL didn't drop compared to last week, even after I blocked Cutting Edge Media specifically so that they no longer added to the SBL stats. The SBL rejections source stats are highly skewed this week:

Count	SBL Listing
80	SBL46744
41	SBL46750
9	SBL46698
7	SBL46020
4	SBL20671

Even better, according to Spamhaus, the first two SBL listings are for the same people (I think Spamhaus split them because they're two separate subnets). In a break with the usual pattern, none of these seem to be advance fee fraud spammers.

Only three out of the top 30 most rejected IP addresses were rejected 100 times or more; the leader was 65.71.178.17 (153 times). 20 of the top 30 are currently in the CBL, 4 are currently in bl.spamcop.net, and two are currently in the SBL (217.107.125.134, part of Cutting Edge Media's SBL45150, and 217.107.125.134, part of SBL29986).

(Because they were rejected for other reasons than being in the SBL, neither shows up in the SBL rejection source table. We tend to check DNS blocklists fairly late, mostly to reduce the load on the DNSbl operators.)

The Hotmail stats for this week are:

• 4 messages accepted, at least three of which were completely legitimate.
• no messages rejected because they came from non-Hotmail email addresses.
• 16 messages sent to our spamtraps.
• 1 message refused because its sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one from Cote D'Ivoire, one from Burkina Faso).

This is at least better than last week. (The high volume of legitimate messages is from students mailing a contact address to report a problem with one of the systems we run. Why students like free webmail providers so much is another entry.)

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	495	60	264	42
Bad bounces	60	52	57	51

Evidently the bad HELO people were more persistent this week than last week; there is no single really big source, at least by my standards. (The most active is 212.42.164.253, with 90 attempts, then 64.65.197.32 with 57.)

The only unusual thing in the bad bounce usernames is a few rejections to things that could be very short hex strings; 3E4B, E7D6, and E07. But that's probably just spammer randomness in action.

An amusingly truthful hostname

We got email today from a machine called 'server1.ghettowebhosting.net' (IP address 72.29.85.194).

It was advance fee fraud spam. Truth in advertising strikes again!

(I have to wonder about the mindset that makes anyone name their business something like that. Especially when they are apparently a branch of 'Complet-Inet', and say they have multiple data centers with OC-48 connections; this doesn't sound too 'ghetto' to me. Of course, their front page also advertises '99% gaurantee uptime' [sic].)

Weekly spam summary on September 16th, 2006

The SMTP frontend keeled over and was restarted around 6am on Tuesday morning, so some of the statistics are from then. Given that, this week we:

• got 15,257 messages from 210 different IP addresses.
• handled 17,165 sessions from 837 different IP addresses.
• received 101,830 connections from at least 26,869 different IP addresses since Tuesday at 6am.
• hit a highwater of 7 connections being checked at once since Tuesday at 6am.

It looks like the total connection count for this week is about 140,000 or so, which would make the total volume slightly down from last week. The per day stats don't make for a useful table, but look about flat.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          45463   2364K
82.195.157.47         10886    653K
209.172.38.189         6575    395K
82.58.96.64            5616    337K
195.34.34.232          5221    261K
218.0.0.0/11           4451    217K
61.128.0.0/10          3223    163K
193.70.192.0/24        2664    120K
216.138.229.192        2385    124K
207.245.12.2           2262    109K

Apart from the one major outlier, the volume here is pretty similar to last week.

• 213.4.149.12, mailhost.terra.es, HELO'ing as the nonexistent and nonsensical hostname 'ctsmtpout1.frontal.correo', reappears from last week in a huge way. It has now earned a place in our permanent blocks.
• 82.195.157.47 and 207.245.12.2 also got blocked for repeated bad HELO greetings.
• 209.172.38.189 was blocked because it kept trying to send us stuff that had hit our spamtraps, in particular email with a MAIL FROM pointing to the domain 'opinionplus.ca'.
• 82.58.96.64 was blocked for being in the CBL, but an inspection of its hostname shows that it's a dynamic telecomitalia.it address (and is listed in dialups.visi.com, a DNSbl I may need to consider using).
• 195.34.34.232 and 216.138.229.192 were also blocked for hitting spamtraps and keeping on sending. The presence of 195.34.34.232 is especially impressive because it only started hitting us yesterday (Friday).

Connection time rejection stats:

  27768 total
  13469 dynamic IP
  11422 bad or no reverse DNS
   1403 class bl-cbl
    395 class bl-dsbl
    221 class bl-sdul
    192 class bl-njabl
    146 class bl-sbl
    145 class bl-ordb
     34 class bl-spews

Five out of the top 30 most rejected IP addresses were rejected 100 times or more, with this week's champion being 64.166.14.222 (417 times, rejected for being a PacBell ADSL line). 19 of the top 30 are currently in the CBL, 8 are currently in bl.spamcop.net, and one, our friend 208.32.133.156 from Cutting Edge Media, is in SBL45150.

This ongoing persistence from Cutting Edge Media has now earned them a permanent personal block. (I'm tempted to make it a kernel level block, but I'm refraining for now.)

The Hotmail stats got worse from last week:

• 4 messages accepted, at least one of which was legitimate.
• 2 messages rejected because they came from non-Hotmail email addresses, both times from msn.com users.
• 40 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 1 messages refused due to its origin IP address being in SBL27471.

I remain unimpressed with Hotmail, not that this is exactly news.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	264	42	593	80
Bad bounces	57	51	101	91

My biggest reaction is that this is a pleasant decline from last week, although I'm not going to hold my breath for the trend to continue. Bounces to 38-character hex string login names have gone back into hiding, to my vague regret; one treasures even one's head-scratching peculiar spam mysteries.

Weekly spam summary on September 9th, 2006

This week, we:

• got 15,100 messages from 230 different IP addresses.
• handled 18,312 sessions from 982 different IP addresses.
• received 156,592 connections from at least 49,202 different IP addresses.
• hit a highwater of 36 connections being checked at once, set on Saturday (today).

Message volume is up from last week, but I'm not too surprised; this is the start of classes and thus the time when all sorts of things come out of the woodwork and need to be emailed about. The per-day breakdown:

Day	Connections	different IPs
Sunday	20,556	+7,236
Monday	24,913	+8,452
Tuesday	24,521	+7,693
Wednesday	25,250	+7,693
Thursday	22,355	+6,929
Friday	21,720	+6,690
Saturday	17,277	+4,509

I suppose I shouldn't be surprised that the whatever-it-is traffic didn't take Labour Day off.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          18567    965K
193.70.192.0/24       11572    522K
218.0.0.0/11           4542    221K
61.128.0.0/10          3442    173K
209.94.172.156         2723    145K
195.39.69.48           2670    160K
200.254.87.131         2669    128K
63.204.205.50          2008    120K
221.6.101.22           1972    118K
212.175.13.129         1957    117K

Overall volume is both up (at the high end) and down (at the low end) from last week.

• 213.4.149.12 and 212.175.13.129 both return from last week, still with bad HELO greetings.
• 209.94.172.156 kept trying to send spam after tripping our traps.
• 195.39.69.48 returns from August, blocked due to having no reverse DNS.
• 200.254.87.131 and 221.6.101.22 also have no reverse DNS.
• 63.204.205.50 is a frys.com machine. Although I suspect that it is trying to send us a backscatter bounce, it got blocked due to the behavior exhibited here.

Connection time rejection stats:

  33545 total
  16606 dynamic IP
  13517 bad or no reverse DNS
   2131 class bl-cbl
    249 class bl-njabl
    185 class bl-sbl
    166 class bl-dsbl
    131 class bl-sdul
     75 class bl-ordb
     46 class bl-spews

I have more or less given up peering into my crystal ball about the week to week connection time rejection stats unless something big changes. (Ironically, I missed the big change last week, which was the jump in the SBL's rejection rate to just behind the CBL.)

Seven of the top 30 most rejected IP addresses were rejected 100 times or more, with the champion being 200.254.87.131 (215 times), with 87.6.134.240 (210 times, an Interbusiness IP address that is also on the CBL et al).

22 of the top 30 most rejected IP addresses are currently in the CBL, 8 are currently in bl.spamcop.net, and 2 are currently in the SBL; both are 'Cutting Edge Media' IP addresses. Apparently those people just don't give up.

Hotmail stats this week are a bit better than last week, but worse on a personal level:

• 2 messages accepted, both spam sent to me.
• No messages rejected because they came from non-Hotmail email addresses.
• 21 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• No messages refused due to their origin IP address

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	593	80	2258	140
Bad bounces	101	91	263	233

Apart from the welcome reduction in these numbers, this week is pretty much the same as last week. The bad bounces did see the return of one of the 38-character hex digit login names as a destination, which makes me obscurely happy, much like Ursula Vernon spotting a botfly-infected squirrel.

Weekly spam summary on September 2nd, 2006

Our SMTP frontend survived all this week without problems, which was something of an accomplishment this week. Because this week, we:

• got 13,546 messages from 227 different IP addresses.
• handled 19,984 sessions from 1,283 different IP addresses.
• received 1,419,542 connections from at least 52,806 different IP addresses.
• hit a highwater of 9 connections being checked at once.

Yes, that is not a typo; this week we had a lot of SMTP connections, although none of the other numbers are up much compared to last week. It's not a continuation of the spam storm from last Saturday either, as the per-day numbers show:

Day	Connections	different IPs
Sunday	20,593	+7,285
Monday	23,676	+7,944
Tuesday	28,816	+9,029
Wednesday	252,349	+7,809
Thursday	712,787	+8,161
Friday	364,505	+7,540
Saturday	16,816	+5,038

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          10704    557K
216.64.54.146          4490    216K
61.128.0.0/10          3609    190K
218.0.0.0/11           2976    145K
204.13.82.45           2405    144K
212.216.176.0/24       2367    119K
219.128.0.0/12         2330    116K
217.224.0.0/13         2226    107K
66.112.87.66           2215    106K
212.175.13.129         2114    127K

The overall volume is down from last week, with only one entry really sticking out.

• 213.4.149.12 returns from last week and many prior weeks.
• 216.64.54.146, 66.112.87.66, and 212.175.13.129 had bad HELO greetings.
• 204.13.82.45 is 'mailout45.inetekk.com'. We have had prior dealings with inetekk that make us disinclined to ever accept email from them again.

Connection time rejection stats:

  38665 total
  18228 dynamic IP
  15060 bad or no reverse DNS
   2176 class bl-cbl
   1381 class bl-sbl
    547 class bl-dsbl
    280 class bl-njabl
    251 class bl-sdul
    159 class bl-spews
     84 class bl-ordb

Oddly, despite the huge connection volume there is no real growth in these stats compared to last week. I don't have any explanation for this.

Six of the top 30 most rejected IP addresses were rejected 100 times or more, with the leader being 200.216.54.234 (197 times, rejected for having no reverse DNS). 15 of the top 30 are currently in the CBL, six are currently in bl.spamcop.net, and two are in the SBL.

Somewhat to my surprise only one of those two is our non-friends at Cutting Edge Media (this week reporting in from 208.32.133.155). The other is 213.154.92.143, which is part of SBL21128, which is a /23 listing that is (to quote the listing) '419 scam sources in Senegal'. For extra displeasure, this listing was created November 14th, 2004.

Hotmail's stats this week are an improvement over last week:

• 1 message accepted.
• 1 message rejected because it came from a non-Hotmail email address; it was pretty certain to have been advance fee fraud spam.
• 25 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one for being in the CBL, one for being from Cote d'Ivoire).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	2258	140	1557	110
Bad bounces	263	233	323	285

There were four people who sent 100 or more bad HELOs before being blocked, but the volume seems to be more or less fairly distributed; there are no single runaway sources.

The most popular bad username to send stuff to continues to be 'noreply', which perhaps shouldn't be surprising. In aggregate, the most popular bounce destination is random alphabetic strings, each one used only one time.