Wandering Thoughts archives

Weekly spam summary on January 27th, 2007

This week, we:

• got 14,755 messages from 268 different IP addresses.
• handled 23,910 sessions from 1,483 different IP addresses.
• received 248,718 connections from at least 75,622 different IP addresses.
• hit a highwater of 37 connections being checked at once.

Volume seems noticeably up compared to last week. The apparent jump in the number of different IP addresses trying to talk to us concerns me, since it is probably yet another indication of the growing zombie armies.

Day	Connections	different IPs
Sunday	35,443	+12,619
Monday	36,954	+12,391
Tuesday	31,523	+8,475
Wednesday	42,126	+13,711
Thursday	39,633	+11,063
Friday	36,720	+9,858
Saturday	26,319	+7,505

About all I can say about this table is that I can remember when 20,000 connections a day was the ordinary baseline. Hopefully it'll go back there someday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
193.70.192.0/24       15081    680K
213.4.149.12          13873    712K
213.29.7.0/24         12301    734K
221.186.214.155        8435    505K
66.46.180.235          6534    392K
60.231.152.85          5745    292K
81.115.40.8            5059    270K
72.1.187.162           4544    212K
64.40.176.61           4412    212K
66.15.119.165          3188    149K

I'd call this about the same as last week.

• 213.4.149.12 and 66.46.180.235 return from last week.
• 221.186.214.155 is a Japanese IP address without valid reverse DNS.
• 60.231.152.85 is a bigpond.net.au cablemodem that has appeared here before.
• 81.115.40.8 is a telecomitalia.it machine reappearing from December.
• 72.1.187.162 and 64.40.176.61 were blocked for repeated bad HELOs.
• 66.15.119.165 is in the SORBS DUL.

In general, a broad variety of the usual suspects.

Connection time rejection stats:

  63406 total
  40314 dynamic IP
  15167 bad or no reverse DNS
   4941 class bl-cbl
   1475 class bl-sbl
    281 class bl-dsbl
    210 class bl-njabl
    124 class bl-pbl
    106 class bl-sdul

This is up significantly this week compared to last week, and the CBL and the SBL appear to have caught on fire. Such a huge SBL presence deserves a breakdown:

1291	SBL50451	69.42.169.0/24, listed as a spam source and spam website hoster (25-Jan-2007)
137	SBL43664	63.139.56.0/23, aka 'GO TECH HOSTING', listed as a spam source and more (18-Oct-2006)
16	SBL50430 plus SBL50333	wanadoo.co.uk's main mail machines, listed for advance fee fraud (24-Jan-2007)
10	SBL50325	sify.net webmail, listed for advance fee fraud (22-Jan-2007)
10	SBL50181	advance fee fraud spam source (18-Jan-2007, but active since November, and tried to hit us last week too)
10	SBL50211	65.99.209.155, also a carryover from last week, but now apparently removed from the SBL.

SBL50451 managed to connect to us a few times before it got SBL listed, but it looks like it didn't manage to deliver anything because the messages it was trying to send had URLs that tripped some of our other spam filtering.

Only two of the top 30 most rejected IP addresses were rejected 100 times or more this week, but the leader is a real champion; 83.196.30.53 was rejected 2,546 times due to it being a wanadoo.fr dialup, and 189.139.79.21 was rejected 100 times due to being a Mexican IP address without working reverse DNS (it's also on the CBL et al). In other news, 14 of the top 30 are currently in the CBL, 9 are currently listed in bl.spamcop.net, and two are in the SBL.

The SBL-listed two are 209.205.237.36, part of SBL41018, a /20 Pacnet escalation listing from 24-Dec for spammer hosting that we saw before in December, and 66.236.249.115, SBL37424, a /26 ROKSO listing from 19-Oct for Richard Simnett aka S-Infotech and Direct Media Network. As usual, neither were actually rejected for being SBL-listed; the Pacnet IP was blocked for bad reverse DNS, and the Simnett IP was blocked because we have that /24 blocked as an old spam source.

This week Hotmail brought us:

• 2 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 29 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 1 message refused due to its origin IP address being from saix.net of South Africa.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1171	134	1578	101
Bad bounces	229	130	455	345

This is an improvement from last week, but not a great one. There's no clear winner of the bad HELO sweepstakes, just a bunch of people with middle double-digit rejection counts.

The clear champion of bad bounces is 193.138.163.135, with 64, all to the username 'erqxsdtlqele'. In terms of general sources, Germany and Italy fought it out this week, with contributions from Russia and various other places around the world. Random alphabetic jumble usernames continued their overall domination of the bad bounce targets, but this week saw some ones with leading numbers show up, along with a number of more plausible usernames. Bad bounces were sent to only 148 different bad usernames this week.

Why I think that DNS whitelists are going to fail

There's been a recent fad for DNS whitelists, the rough inverse of DNS blacklists; instead of listing claimed bad sources of email, they list claimed good sources. I've been thinking about this for a while, and I believe that such DNS whitelists are going to fail.

Why I believe DNS whitelists are doomed can be summed up in a simple question: do you whitelist Hotmail or not? If you whitelist Hotmail, you are whitelisting a known source of a not insignificant amount of spam. If you don't whitelist Hotmail, you are not whitelisting a place that sends a lot of legitimate email that's wanted by the people it's sent to. Either answer damages your DNS whitelist.

The fundamental issue is that there is no nice binary spam/no spam dividing line for hosts; instead it is more like:

1. sends no spam
2. sends spam but only as part of forwarding email in general
3. originates some spam along with legitimate email
4. originates too much spam (to the limiting point of not originating any legitimate email).

(Hotmail, Yahoo, Google Mail, and so on are #3s. Places that forward mail (whether directly for users or by running mailing lists) are sooner or later #2s.)

Among other issues, where do you draw the line between #3 and #4 and decide to (not) list someone? I don't think there are any objective criteria, so it comes down to 'too big to not whitelist', and sooner or later you (the list operator) and I (the list user) are going to disagree about that.

(You can take the intellectually pure path and only list #1, but then what's the point? Most of the interesting places we get email from are going to fall into #2 and #3.)

Weekly spam summary on January 20th, 2007

Our SMTP frontend crashed a lot this week, so the connection volume number is a lot more approximated than usual. Having said that, this week we:

• got 14,060 messages from 292 different IP addresses.
• handled 21,260 sessions from 1,496 different IP addresses.
• received over 183,239 connections; I'm not going to try to guess at the minimum number of different IP addresses.
• probably hit a highwater of 6 connections being checked at once.

It seems likely that volume was around that of last week or maybe a bit lower, but it's very hard to tell.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          21316   1101K
213.29.7.0/24         18080   1081K
193.70.192.0/24       12078    544K
216.100.202.21         4945    231K
67.118.208.202         4683    225K
208.42.51.45           4208    202K
66.46.180.235          4149    248K
72.156.25.114          4058    195K
217.128.32.217         3513    169K
170.180.10.152         3360    161K

• 213.4.149.12 returns from last week and many previous appearances.
• 216.100.202.21 was on the NJABL when we blocked it, but no longer is.
• 67.118.208.202 is a Pacbell DSL line in the SORBS DUL list.
• 208.42.51.45 and 170.180.10.152 kept trying bad HELOs.
• 66.46.180.235 kept trying to send us stuff that had already tripped our spamtraps.
• 72.156.25.114 and 217.128.32.217 are both things that we consider dialups.

The overall volume is clearly up from last week, although only one IP address is one that's made the lists before. (And that one is terra.es's mail server, which we haven't wanted to talk to for ages.)

Connection time rejection stats:

  48728 total
  32588 dynamic IP
  12796 bad or no reverse DNS
   2058 class bl-cbl
    206 class bl-sdul
    143 class bl-dsbl
     98 class bl-pbl
     58 class bl-njabl
     50 class bl-sbl

As you can see, we've added the Spamhaus PBL to our list of blocklists. It hasn't hit much because it comes after the CBL and our extensive hand-maintained list of dialups and other dynamic IPs.

Only one out of the top 30 most rejected IPs was rejected 100 times or more this week; 217.128.32.217, a wanadoo.fr dialup, was rejected 422 times. 13 of the top 30 are currently in the CBL, and 5 are currently in bl.spamcop.net.

Half of our SBL rejections came from 200.170.174.135 (25 rejections, SBL50181), a compromised web server being abused to send advance fee fraud spam for some time. After that is 65.99.209.155 (7 rejections, SBL50211), labeled as an opt-out spammer, and 66.158.163.165 (4 rejections, SBL49046), more advance fee fraud spamming.

This week Hotmail brought us:

• no messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 30 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one from saix.net, one from Burkina Faso).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1578	101	566	98
Bad bounces	455	345	151	126

I can't say that this looks good compared to last week. There is a clear winner of the bad HELO sweepstakes; 193.99.175.1 tried 494 times. Fortunately, that's the only really active bad HELO source, and everyone else was down in what I consider acceptable territory with only double-digit rejections.

Germany remained a major source of our bad rejections, sprinkled with Italy, Japan, Australia, and other places around the globe. 'noreply' was the most popular single username to try to send bounces to, but the most popular thing in general was random alphabetical usernames like 'shxonbnjy'. Bad bounces were sent to 425 different bad usernames this week.

Weekly spam summary on January 13th, 2007

This week, we:

• got 14,362 messages from 263 different IP addresses.
• handled 18,805 sessions from 1,257 different IP addresses.
• received 232,353 connections from at least 81,631 different IP addresses.
• hit a highwater of 26 connections being checked at once.

Weekly email volume has returned to normal, which is not surprising (the university is back in full session). Total volume is up a bit from last week, especially the number of different IP addresses talking to us.

Day	Connections	different IPs
Sunday	32,355	+13,346
Monday	35,036	+12,551
Tuesday	31,295	+11,603
Wednesday	36,412	+11,841
Thursday	36,387	+12,355
Friday	32,702	+10,873
Saturday	28,166	+9,062

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          18869    981K
213.29.7.0/24         18426   1105K
193.70.192.0/24       13778    621K
69.15.68.98            6860    321K
60.231.152.85          5001    254K
64.166.14.222          4062    195K
193.252.22.158         3999    240K
86.18.9.59             3811    183K
66.15.22.201           3184    153K
84.160.0.0/11          2339    116K

• 213.4.149.12, 69.15.68.98, and 193.252.22.158 return from last week's list.
• 60.231.152.85 is a bigpond.net.au cablemodem and last appeared in December.
• 64.166.14.222 didn't make the kernel filtering top ten last week but got mentioned for other reasons and has made the weekly summaries before in general.
• 86.18.9.59 is an ntl.com broadband customer, which we consider a dynamic/dialup IP address.
• 66.15.22.201 is in the SORBS DUL.

Overall volume is once again up a bit from last week.

Connection time rejection stats:

  59047 total
  37554 dynamic IP
  14709 bad or no reverse DNS
   4911 class bl-cbl
    371 class bl-sdul
    270 class bl-dsbl
    152 'fairgamemail.us'
    134 class bl-njabl
     97 cuttingedgemedia.com
     59 class bl-spews
     31 class bl-sbl

This is likely the last week SPEWS will appear in these reports. Sparked by reports in news.admin.net-abuse.email that the SPEWS database hasn't been updated for the past few months, and the generally low hit rate recently, I am pulling them from our configuration to avoid potential future explosions.

Only one IP address out of the top 30 most rejected IP addresses was rejected 100 times or more; 64.166.14.222 (698 times), which also made the top 10 kernel rejected IPs. 15 out of the top 30 are currently in the CBL and 6 are currently in bl.spamcop.net.

This week Hotmail brought us:

• no messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 30 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 5 messages refused due to their origin IP address (four from the Cote d'Ivoire, one in SBL22599).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	566	98	332	130
Bad bounces	151	126	16	11

Oh well, so much for the peace of last week. There is no single big contributor to either, although the major source of bad bounces seems to be German sites. The largest target of bad bounces was to 'noreply', but after that almost everything was to alphabetic jumble usernames, with only a few plausible ex-users mixed in.

Weekly spam summary on Janury 6th, 2007

This week, we:

• got 12,487 messages from 217 different IP addresses.
• handled 16,802 sessions from 997 different IP addresses.
• received 224,173 connections from at least 71,302 different IP addresses.
• hit a highwater of 23 connections being checked at once.

The university came back from vacation this past Thursday, and of course the spammers never went on much of one to start with. I suspect that volume is up somewhat from last week, but given that this is the first time in a couple of weeks that we have full stats it's hard to be sure.

Day	Connections	different IPs
Sunday	31,473	+11,976
Monday	30,086	+10,263
Tuesday	36,900	+11,800
Wednesday	33,074	+10,070
Thursday	33,327	+9,978
Friday	34,889	+9,865
Saturday	24,424	+7,350

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          24349   1266K
193.70.192.0/24       11208    505K
213.29.7.0/24         10387    623K
69.15.68.98            7857    367K
212.43.241.13          7615    418K
66.7.28.46             4040    205K
193.252.22.158         3383    203K
69.15.6.139            3252    156K
212.175.13.129         2470    148K
212.184.12.130         2289    110K

• 213.4.149.12, 212.43.241.13, and 193.252.22.158 all return from last week, although they've shuffled their order this time around.
• 193.70.192.0/24 is iol.it aka tin.it, who we haven't talked to for a long time.
• 213.29.7.0/24 is centrum.cz, with their volume surging back up from last week's temporary drop.
• 69.15.68.98 and 212.175.13.129 (last heard from in September) had too many bad HELOs.
• 66.7.28.46 is in the NJABL.
• 69.15.6.139 kept trying to send us phish spam that had already hit our spamtraps.
• 212.184.12.130 reappears from October and still has no reverse DNS information.

Overall volume here is up somewhat from last week.

Connection time rejection stats:

  61627 total
  38124 dynamic IP
  17309 bad or no reverse DNS
   4543 class bl-cbl
    378 class bl-dsbl
    316 class bl-sdul
    166 class bl-sbl
     84 cuttingedgemedia.com
     49 class bl-njabl
     24 class bl-spews
     21 'fairgamemail.us'

Only one out of the top 30 most rejected IP addresses was rejected 100 times or more: 64.166.14.222 (941 times, a Pacbell DSL line). 20 of the top 30 are currently in the CBL, 10 are currently in bl.spamcop.net, and one is in the SBL: 209.205.236.245, which also did this last week.

The leading actual SBL rejections this week are:

97	SBL43537	a /19 escalation listing against SWIFT VENTURES Inc for spammer hosting (31-Dec-2006)
19	SBL42599	a /24 ROKSO listing for Brian Kramer / Expedite Media Group (08-Dec-2006)
14	SBL49046, SBL37655, SBL38413	an escalating series of listings for ServerFlo, which Spamhaus suspects is a spammer front (23-Nov-2006 for the SBL38413 /20 listing)

This week Hotmail brought us:

• 4 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 19 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 1 message refused due to its origin IP address being inside telkom.co.za.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	332	130	594	87
Bad bounces	16	11	72	60

Now that's the kind of change I like to see compared to last week. As you might expect, there are no really big sources of bad HELOs, and there are so few bad bounces that I can put the usernames in a handy table:

4	markf
4	ijiefuurmcl
3	wtn-editors
2	noreply
1	user
1	morgaine
1	ctn-editors

This is pretty atypical; four of these are actual usernames that used to exist here, and only one is an alphabetical jumble.

My current views on webmail providers

I have come to a grumpy realization recently:

Unsecured webmail systems are today's open SMTP relays, and it's high time that they got treated the same way.

The comparison is all the more striking because (once) major ISPs appear to have decided that they can run open webmail systems without consequences, much as people once shrugged off running open SMTP relays.

(I am particularly depressed by the move of places like rr.com, comcast.net, and adelphia.net into webmail systems that are open enough to let people in Nigeria spam us. Today's candidate for the dunk tank is tucows.com, who to my shame are based in Toronto; as is traditional, the spam message originated from a thoroughly blacklisted IP address that is in SBL33810, a listing that dates from July 9th 2006, among other places.)

This implies that there should be a list of webmail providers that source spam, and people should be encouraged to block such places using the list. (People would have to whitelist Hotmail and Yahoo and so on; personally I consider that a feature.)

If I was running such a DNS blocklist, I would drive it from spamtrap data, with simple time-based expiry. Listing durations would be based on the volume involved and on how much the webmail provider should have known better, based both on how badly SpamAssassin et al score the mail and on how listed (and in what) the origin IP address is. Keep generating advance fee fraud spam email and your listing stays. (This would make Hotmail et al perpetually listed, which is fair; they're perpetually sending out spam email. See above.)

(I have been banging this drum for some time, in various forms.)