Wandering Thoughts archives

An Internet rule of thumb

Any Internet protocol change that requires everyone's participation is dead on arrival.

This often applies to would-be antispam efforts such as SPF.

(Superficially, SPF looks like it is an isolated thing that only involves the sender having SPF records and the receiver checking them. It's not, and the way it requires everyone's participation is illustrated by the need for the Sender Rewriting Scheme.)

Weekly spam summary on October 28th, 2006

This week, we:

• got 14,982 messages from 288 different IP addresses.
• handled 21,920 sessions from 1,294 different IP addresses.
• received 193,231 connections from at least 46,305 different IP addresses.
• hit a highwater of 11 connections being checked at once.

This is pretty much the same as last week. On a global scale it is up from what I consider an acceptably quiet level, but looking back a year it seems to be about the same as this time last year.

(It's a peculiar feeling to be reminded that I've been doing these weekly spam summaries for well over a year now.)

Day	Connections	different IPs
Sunday	28,770	+7,102
Monday	28,790	+7,501
Tuesday	28,965	+7,305
Wednesday	26,112	+6,170
Thursday	30,102	+7,019
Friday	29,286	+6,201
Saturday	21,206	+5,007

The per day table is relatively straightforward, although there is a dip on Wednesday. As usual, I have no explanation for any of this.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          25115   1306K
128.121.122.36        24818   1224K
217.64.193.21         22088   1325K
65.164.104.5          11936    716K
72.244.103.210         7878    369K
213.29.7.133           6171    370K
195.128.174.109        5313    262K
212.184.12.130         5070    243K
61.128.0.0/10          4683    249K
193.252.22.158         4194    252K

On the kernel blocks front, things are significantly more active than they were last week, although our leader keeps slowly declining.

• 213.4.149.12, 72.244.103.210, and 212.184.12.130 all return from last week, and for the same reasons (although looking back, I got a bit of my identification of 212.184.12.130 wrong; 212/8 is a RIPE netblock, not an APNIC one).
• 128.121.122.36 is affiliatecrew.com, which kept trying to hammer on us with mail that had already hit our spamtraps. Given their domain name, I am pretty sure that I don't want to talk to them anyways.
• 217.64.193.21 is an Italian IP address with no reverse DNS.
• 65.164.104.5 was blocked for blasting our postmaster alias with backscatter from viruses.
• 213.29.7.133 is a centrum.cz mail machine; we've gotten too much advance fee fraud spam from them to accept any more.
• 195.128.174.109 tried to keep sending us stuff that had already hit our spamtraps.
• 193.252.22.158 is a wanadoo.co.uk mail machine (and we've seen it before, most recently at the start of October); at the time that we blocked it, it was in SPEWS (and we're not interested in talking to Wanadoo properties anyways).

It's also rare for the top-10 kernel blocks to be so dominated by single IP addresses; even last week had three netblocks. This week we're down to just a Chinese /10, and it's only in ninth place.

Connection time rejection stats:

  34922 total
  17172 dynamic IP
  14149 bad or no reverse DNS
   2316 class bl-cbl
    298 class bl-dsbl
    256 class bl-sdul
    211 class bl-njabl
     56 class bl-spews
     44 class bl-ordb
     41 class bl-sbl
     19 cuttingedgemedia.com

Three out of the top 30 most rejected IP addresses were rejected 100 times or more; 203.177.186.10 (188 times), 61.53.153.69 (167 times), and 61.53.153.71 (105 times), all of which are APNIC addresses refused for having bad or missing reverse DNS. 19 of the 30 most rejected IP addresses are currently in the CBL and 9 are currently in bl.spamcop.net.

This week's Hotmail numbers:

• 1 message accepted; it was legitimate email.
• 1 message rejected because it came from a non-Hotmail email address (it was a msn.com address).
• 26 messages sent to our spamtraps.
• 1 message refused because its sender addresses had already hit our spamtraps.
• 1 message refused due to its origin IP address being a SAIX one.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	2076	103	335	52
Bad bounces	377	276	255	169

With the numbers that big, I was expecting to find a single point source of bad HELOs; unfortunately there isn't one. The leader is 208.223.173.169 (213 times), but then there is 70.234.28.17 (96 times), 216.27.82.198 (78 times), 68.15.237.4 (72 times), and so on.

The most eye-opening bad bounce source was securityfocus.com, at 22 attempts to check a 'IEFPLMD'. I suspect that this is sender verification instead of actual bounces. However, this was not the most popular bounce destination; that goes to 'milw' (22 times). To my pleasure, 3E4B reappeared (although there is still no sign of the 38 character hex strings). Otherwise, the bounces went to the usual suspects, primarily Slavic female names.

Weekly spam summary on October 21st, 2006

This week, we:

• got 14,794 messages from 260 different IP addresses.
• handled 20,016 sessions from 1,207 different IP addresses.
• received 186,129 connections from at least 47,733 different IP addresses.
• hit a highwater of 37 connections being checked at once.

Volume is around that of last week; I don't know what to make of the increasing highwater. The volume doesn't fluctuate too much from day to day:

Day	Connections	different IPs
Sunday	25,762	+7,003
Monday	27,945	+6,735
Tuesday	29,442	+7,764
Wednesday	26,593	+6,847
Thursday	28,700	+6,709
Friday	25,001	+6,578
Saturday	22,686	+6,097

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          34927   1816K
72.244.103.210        17256    807K
194.109.24.30         12822    652K
212.175.13.25          4877    293K
61.128.0.0/10          4649    250K
212.184.12.130         4357    209K
212.216.176.0/24       3930    196K
219.94.131.171         3483    209K
80.13.134.100          3481    177K
84.160.0.0/11          3452    170K

Apart from our leading dislike maybe finally giving up, volume is clearly significantly up from last week.

• 213.4.149.12 and 72.244.103.210 return from last week, and are also the only two returning IP addresses.
• 194.109.24.30 kept trying to send us stuff that had already hit our spamtraps.
• 212.175.13.25, 212.184.12.130, and 219.94.131.171 all APNIC IPs with no reverse DNS (by now I am perilously close to recognizing APNIC IP ranges on sight). The first is on bl.spamcop.net, the latter two are in the NJABL.
• 80.13.134.100 is a wanadoo.fr dialup; two big strikes against it for the price of one.

Connection time rejection stats:

  37843 total
  18462 dynamic IP
  15326 bad or no reverse DNS
   2162 class bl-cbl
    326 class bl-dsbl
    325 class bl-sdul
    252 class bl-njabl
    188 class bl-spews
     76 class bl-sbl
     66 class bl-ordb

There was only one IP address out of the top 30 most rejected IP addresses that was rejected 100 times or more; 71.101.253.74 (a Verizon DSL line that is also in the CBL et al) at 118 times. 18 of the 30 most rejected IP addresses are currently in the CBL and 3 are currently in bl.spamcop.net.

The SBL picture:

16	SBL45324	'Lucky Solution', a US spammer	03 Sep 2006
15	SBL42599	'Lucky Solution' again	13 Oct 2006
9	SBL36016	Polish spam? outfit	Dec 2005
7	SBL47519	US spam source	17 Oct 2006
7	SBL47482	Polish spam source	16 Oct 2006
7	SBL41338	Russian advanced fee fraud source	4 May 2006
6	SBL39631	Czech spam source (compromised machine)	29 Mar 2006

In summary: many 'real' spammers, and you have to go fairly far down before you find an advance fee fraud or phish spam. Most of the SBL listings for spammers are relatively new, with only a few old ones.

This week, what we got from Hotmail was:

• 2 messages accepted, one of them definitely legitimate.
• 1 message rejected because it came from a non-Hotmail email address; unfortunately it was from 'theroyalpeakraffledraw.com', so it looks like Hotmail may be backsliding to old habits.
• 29 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one for being from Nigeria, one for being in the CBL).

About an average week, I suppose.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	335	52	640	68
Bad bounces	255	169	172	140

One trend is good, the other trend is bad; that's sort of how it goes in general. The leading source of bad HELOs was 65.23.46.163, with 93; no one else came close. The least amusing was 209.11.168.39, with the claimed HELO name of 'mail-test.gbxsc.friendster.com', and it does indeed seem to be a friendster.com machine.

The bad bounces continue to be pretty much like last week, although this time around there were no hex strings.

Getting your spam crossed

Received today:

MAIL FROM:<service@paypal.com>
[...]
From: Andrew Bailey. <deleted>
[...]

Good day partner,

I am Andrew Bailey of International Private Banking at BANK OF ENGLAND. I am contacting you concerning a deceased customer and an investment he placed under our banks management three years ago. [...]

This spam message apparently can't decide whether it's phish spam or advance fee fraud spam. Probably some spammer's mailer software got snarled up, but I like to imagine that the advance fee fraud gangs are now stealing compromised machines from the phish gangs.

Weekly spam summary on October 14, 2006

This week, we:

• got 13,890 messages from 262 different IP addresses.
• handled 18,923 sessions from 1,185 different IP addresses.
• received 187,506 connections from at least 50,091 different IP addresses.
• hit a highwater of 22 connections being checked at once.

Connection volume is up again from last week, but everything else is down. Things fluctuated over the week:

Day	Connections	different IPs
Sunday	24,385	+6,671
Monday	31,929	+8,310
Tuesday	32,554	+9,304
Wednesday	27,740	+8,344
Thursday	22,182	+5,557
Friday	26,631	+6,431
Saturday	22,085	+5,474

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          62524   3251K
193.70.192.0/24        6103    275K
219.128.0.0/12         4367    213K
61.128.0.0/10          4270    230K
72.244.103.210         3993    187K
207.218.78.123         3562    178K
212.51.32.187          2965    130K
212.216.176.0/24       2841    144K
84.160.0.0/11          2813    139K
199.34.64.220          2478    149K

The overall numbers are down from last week, especially for single IP addresses.

• 213.4.149.12 returns from last week.
• 72.244.103.210 returns from August, still a covad.net 'dialup'.
• 207.218.78.123 is on the NJABL.
• 212.51.32.187 is a mundo-r.com outgoing SMTP gateway; they tried to send us a bunch of advance fee fraud spam this week.
• 199.34.64.220 tried to send us a bunch of phish spam that had already hit our spamtraps.

Connection time rejection stats:

  42288 total
  19382 dynamic IP
  19198 bad or no reverse DNS
   2078 class bl-cbl
    396 class bl-dsbl
    255 class bl-sdul
    135 class bl-njabl
    117 class bl-spews
    110 cuttingedgemedia.com
     37 class bl-sbl
     19 class bl-ordb

Three out of the top 30 most rejected IP addresses were rejected 100 times or more, with the leader being 124.120.103.16 (136 times). 23 of the top 30 are currently in the CBL, 10 are currently in bl.spamcop.net, and one, 208.32.133.155, is part of SBL45150, the Cutting Edge Media SBL listing.

So much for them going away, evidently.

This week, Hotmail gave to us:

• no messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 27 messages sent to our spamtraps.
• 7 messages refused because their sender addresses had already hit our spamtraps.
• no messages refused due to their origin IP address

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	640	68	1532	118
Bad bounces	172	140	358	317

The champion source of bad HELO names is 216.229.190.42 (126 times), followed by 69.27.248.94 (75 times). Many of the bad bounces continue to come from Eastern Europe, and the pattern of bad usernames being mostly Slavic female names continues. We did have one bounce to 3E4B, from the same IP address as last week's (83.110.221.99).

Weekly spam summary on October 7th, 2006

This week, we:

• got 15,275 messages from 261 different IP addresses.
• handled 21,183 sessions from 1,301 different IP addresses.
• received 172,030 connections from at least 42,834 different IP addresses.
• hit a highwater of 18 connections being checked at once.

Volume is up somewhat from last week, but not hugely. The per day volume level fluctuates significantly:

Day	Connections	different IPs
Sunday	21,990	+6,449
Monday	22,389	+5,870
Tuesday	29,916	+7,132
Wednesday	28,204	+6,269
Thursday	25,631	+5,934
Friday	23,374	+5,615
Saturday	20,526	+5,565

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          58339   3034K
82.236.238.29          7377    375K
218.0.0.0/11           6280    304K
193.252.22.158         5769    346K
200.30.74.150          4989    282K
203.57.78.9            4762    242K
194.105.193.50         3663    181K
200.195.95.185         3200    176K
61.128.0.0/10          3154    176K
80.51.32.242           2901    174K

The overall numbers are up somewhat from last week.

• 213.4.149.12, 193.252.22.158, and 80.51.32.242 return from last week, with terra.es continuing to totally, totally own first place.
• 82.236.238.29 is a proxad.net dialup.
• 203.57.78.9 is listed in NJABL; it appears to be yet another webmail advance fee fraud spam source.
• 194.105.193.50 is a leivo.ru machine, and we've decided not to talk to them any more because they're a source of annoying backscatter.
• 200.195.95.185 is currently in the CBL.

Connection time rejection stats:

  35477 total
  17818 dynamic IP
  14475 bad or no reverse DNS
   1712 class bl-cbl
    262 class bl-dsbl
    217 class bl-sdul
    205 class bl-njabl
     80 class bl-spews
     47 class bl-ordb
     39 class bl-sbl

This week marks the first week that Cutting Edge Media has left us alone. If it keeps up, I may hold a modest celebration.

One out of the top 30 most rejected IP addresses was rejected more than 100 times: 71.79.5.224, a RoadRunner cablemodem, at 184 times (it is also in the CBL). 23 of the top 30 most rejected IP addresses are currently in the CBL and 6 are currently in bl.spamcop.net. Because I can, I'll do a table of the top SBL rejections:

14	SBL29986	RTComm.RU /15 escalation listing
8	SBL41338	Advance fee fraud spam source
7	SBL47129	Phish spam source
3	SBL30022	RTComm.RU /16 escalation listing

I'd say I'm detecting a trend here, but it's not anything new, so I'm more confirming it.

This week, Hotmail brought to us:

• 4 messages accepted, at least two of which were spam (again coming from what is probably a tm.net.my ADSL line; I guess I'll add them to the banned sources list).
• no messages rejected because they came from non-Hotmail email addresses.
• 27 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one for being in SBL33810 and the other for being from the Cote d'Ivoire).

I can't say I'm very happy about the continued spam from the Hotmail plus tm.net.my combination (they did it last week too). But then I'm usually not very happy with Hotmail in general.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1532	118	718	66
Bad bounces	358	317	127	88

Colour me displeased with the increase. No particular source of bad HELOs stands out; there were just more of them (although the average number of bad HELOs per IP address went up).

On the bad bounces, last week's pattern pretty much repeats, mixed in with the random alphanumeric usernames from earlier weeks. This time I looked at the sources of the bounces; it seems that most of the Russian female name bounces are coming from the Eastern Europe area. There was one bounce to 3E4B.