Wandering Thoughts archives

Weekly spam summary on April 28th, 2007

This week, we:

• got 11,321 messages from 292 different IP addresses.
• handled 18,443 sessions from 1,247 different IP addresses.
• received 176,017 connections from at least 61,753 different IP addresses.
• hit a highwater of 7 connections being checked at once.

This is slightly up from last week, especially the number of different IP addresses hitting us. The drop in email messages may be because we're towards the end of university exams, when things tend to get a bit quiet.

Day	Connections	different IPs
Sunday	26,858	+9,992
Monday	26,131	+9,688
Tuesday	30,224	+10,405
Wednesday	33,942	+10,356
Thursday	26,933	+8,622
Friday	18,944	+7,395
Saturday	12,985	+5,295

The spammers seem to have jumped on us in the middle of the week, and then started to fall off later on. Probably this is not going to be a long-term trend.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       39449   1916K cox.net
68.168.78.0/24        19607    941K adelphia.net
213.29.7.0/24         15449    927K centrum.cz
213.4.149.12          13035    678K
205.152.59.0/24       12831    582K bellsouth.net
206.123.109.0/27       9250    508K
81.115.40.8            5319    284K
65.175.90.190          2877    158K
193.25.197.0/24        2619    157K
65.75.64.3             2619    126K

Volume is slightly down from last week, and has shuffled around quite a bit.

• 213.4.149.12 is terra.es, and returns from last week and many times before.
• 206.123.109.0/27 is a tendril of otcpicknews.com and returns from last week.
• 81.115.40.8 is a telecomitalia.it generic host, and returns from late Feburary and a number of times before then.
• 65.175.90.190 kept trying to send us stuff with an origin address that had tripped our spam traps. It's been doing this for some time, but this is the first week it's made our top ten.
• 193.25.197.0/24 is celeonet.fr; it also kept trying to send us stuff that had already tripped our spamtraps, but it was sending from so many IP addresses that I just blocked the entire /24.
• 65.75.64.3 kept trying with a bad HELO name.

Connection time rejection stats:

  41556 total
  22293 dynamic IP
  13326 bad or no reverse DNS
   4565 class bl-cbl
    234 qsnews.net
    222 class bl-njabl
    105 acceleratebiz.com
    110 class bl-dsbl
     95 class bl-pbl
     71 class bl-sdul
     70 class bl-sbl

The highest source of SBL rejections this week is SBL49395 at 25 rejections, which is labeled as 'swishmail.com' and appears to be a dirty /24 used by a spammer and was listed 23 December 2006. Following it is SBL45324 with 17 rejections, a /24 ROKSO listing for Brian Kramer aka Expedite Media Group, listed 26 December 2006.

Three of the top 30 most rejected IP addresses were rejected 100 times or more this week; 216.213.172.11 (156 times, qsnews.net), 200.62.58.67 (123 times, missing reverse DNS), and 87.51.151.182 (106 times, tele.dk ADSL). Ten of the top 30 are currently in the CBL, none are currently in bl.spamcop.net (somewhat to my surprise), eight are in the PBL, and a grand total of 14 are in zen.spamhaus.org.

(Locally, 13 were rejected for bad or missing reverse DNS, 9 as dynamic IPs, 3 as being from various places we don't want to talk to, 3 for being in the NJABL, and one each for being in the DSBL and the CBL.)

This week, Hotmail did:

• no messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 24 messages sent to our spamtraps.
• 16 messages refused because their sender addresses had already hit our spamtraps.
• 4 messages refused due to their origin IP address (two in the CBL, one in SBL48677, an advance fee fraud spam source listing from December 1st 2006, and one from the Cote d'Ivoire).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	699	69	720	75
Bad bounces	125	57	68	22

Bad bounces have almost doubled from last week, and the number of sources has more than doubled. On the slightly bright side, at least the bad HELO count has dropped slightly. The leading bad HELO source is 70.16.191.87 (72 tries), followed by 216.212.61.226 (67 tries).

Bad bounces were sent to 36 different bad usernames this week. The leading target, with 84 attempts, was an old user. After that we saw attempts to old users, the ever-popular noreply, some random jumbles like xgosk02, and a variety of names like MyraRogers. This week the bounces seem to have come from all over; the leading source is chello.at, followed by a Polish ISP and Earthlink. Various places in Eastern Europe seem to be popular bounce sources in general.

Why I no longer bother to complain to ISPs about spam

The simple answer: reporting spam to ISPs is not an effective way to make the spam stop.

My job is to protect my users (or just myself) from spam, not to help ISPs police their customers and clean up their spam problems. Complaining to ISPs is no longer an effective way to do my actual job, if it ever was; blocking spammers, spam sources, and ISPs is, though. Once I have dealt with the problem, complaining to the ISP is at best donating my time and effort to the ISP; at worst, it makes me a target.

As a result, my reaction to being sent spam is almost always to block the sender. If an ISP's networks are a source a large enough spam to get me to notice it, I generally escalate to blocking the entire ISP, and I certainly don't bother complaining; if the ISP is rotten, the best result I can hope for is to have wasted my time.

The only time when I bother to complain to an ISP is when I cannot block it because it sources too much legitimate traffic that my users want, and the ISP has a reputation of actually doing something effective with spam reports. There are very few such places left any more.

I expect that whether or not users can articulate this, this is why spam reporting rates have dropped precipitously over the last few years. Users aren't stupid and do notice when what they're doing is pointless and has no (good) effect on how much spam they get.

Weekly spam summary on April 21st, 2007

This week, we:

• got 12,325 messages from 286 different IP addresses.
• handled 19,040 sessions from 1,240 different IP addresses.
• received 170,841 connections from at least 51,674 different IP addresses.
• hit a highwater of 17 connections being checked at once.

This is slightly up from last week, which just means it's within normal fluctuations. The per day table is flatter this time around:

Day	Connections	different IPs
Sunday	25,199	+8,285
Monday	28,318	+7,887
Tuesday	28,035	+8,508
Wednesday	26,202	+8,425
Thursday	24,601	+7,856
Friday	22,180	+5,824
Saturday	16,306	+4,889

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.168.78.0/24        34173   1640K adelphia.net
68.230.240.0/23       27081   1315K cox.net
205.152.59.0/24       12790    580K bellsouth.net
209.60.190.123        11106    519K
206.123.109.0/27      10994    603K
213.29.7.0/24         10704    642K centrum.cz
213.4.149.12           6001    312K
204.202.11.243         5451    269K
24.216.176.82          4535    218K
206.123.109.8          4315    237K

Volume is slightly up on last week, which is vaguely depressing. The 206.123.109.0/27 netblock deserves special mention; it is another tendril of the otcpicknews.com (aka otcpicks.com and many others) group, previously found slamming us from 72.249.13.64/26 last week. Evidently adding them to the kernel level blocks was a good idea.

• 209.60.190.123 and 213.4.149.12 return from last week.
• 204.202.11.243 kept trying to send us phish spam that had already tripped over our spamtraps.
• 24.216.176.82 is a charter.com cablemodem or other dynamic IP address.
• 206.123.109.8 ias part of 206.123.109.0/27, but we blocked it first so it gets a separate entry.

Connection time rejection stats:

  48381 total
  25951 dynamic IP
  16153 bad or no reverse DNS
   4951 class bl-cbl
    215 acceleratebiz.com
    191 class bl-dsbl
    133 qsnews.net
    116 class bl-pbl
     85 class bl-sbl
     77 class bl-njabl
     62 class bl-sdul
     23 cuttingedgemedia.com

The highest SBL source this week is SBL48694 with 13 hits, which is a known spam sending source that was listed at the end of March.

Seven of the top 30 most rejected IP addresses were rejected 100 times or more this week; the champion is 190.51.4.122 (1107 rejections, a speedy.com.ar IP address without good reverse DNS), followed closely by 76.187.221.186 (971 rejections, a rr.com cablemodem) and 86.135.179.47 (836 rejections, a btcentralplus.com dynamic machine of some description). Ten of the top 30 are currently in the CBL, one is in the SBL (213.154.87.161, in SBL21133, listed April 18th 2005 for emitting way too much advance fee fraud spam), three are currently in bl.spamcop.net, twelve are in the PBL, and a grand total of 17 of the top 30 are in zen.spamhaus.org.

(Locally, 13 were rejected as 'dynamic IP', 11 were rejected for having bad or missing reverse DNS, 4 were rejected for being various places we don't talk to any more on account of spam, and two are on the DSBL.)

This week Hotmail had:

• no messages accepted.
• 2 messages rejected because they came from non-Hotmail email addresses.
• 36 messages sent to our spamtraps.
• 3 messages refused because their sender addresses had already hit our spamtraps.
• 3 messages refused due to their origin IP address (one in the CBL, one in SBL33955, an advance fee fraud spam source listing from October 24th 2005 (and it was sending through Hotmail back then), and one from saix.net/telkcom.co.za).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	720	75	940	72
Bad bounces	68	22	57	29

The leading source of bad HELOs is 203.90.78.101, with 96 rejections. The leading source of bad bounces was 012.net.il, followed by earthlink.net and videotron.ca; other bad bounces came from a random smattering of all over.

Bad bounces were sent to 23 different bad usernames this week. The leading target, with 39 attempts, was an old user account, long since removed; after that, with 6 attempts, comes our old friend noreply. Apart from that, almost all of the bounces went to things like OtisVentura, with a smattering of old local users.

Weekly spam summary on April 14th, 2007

This week, we:

• got 13,205 messages from 267 different IP addresses.
• handled 19,508 sessions from 1,153 different IP addresses.
• received 163,293 connections from at least 49,706 different IP addresses.
• hit a highwater of 11 connections being checked at once.

This is about the same volume as last week. The per day table fluctuates a fair bit, with a mid-week peak as usual:

Day	Connections	different IPs
Sunday	23,951	+8,124
Monday	25,146	+8,550
Tuesday	20,040	+6,666
Wednesday	29,144	+8,048
Thursday	22,600	+5,945
Friday	25,901	+7,294
Saturday	16,511	+5,079

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       41441   2013K cox.net
205.152.59.0/24       19922    903K bellsouth.net
200.170.93.20         11532    615K
64.187.99.112         11366    546K
213.29.7.0/24          9072    544K centrum.cz
68.168.78.0/24         8826    424K adelphia.net
213.4.149.12           6721    349K
209.60.190.123         5479    256K
212.51.32.152          3936    182K
66.18.132.101          3398    163K

Volume is slightly up on last week, but not enough to be significant (especially since I merged the two Bellsouth /24 blocks into one /23). It is nice to see some of the /24s for the webmail people moving out of the top of the table, even if Cox and Bellsouth still have a lock on the top places.

• 200.170.93.20 kept trying to send email with an origin address that had already tripped our spamtraps. Judging from the specific origin address and the host name, it's a web server compromised through some PHP problem.
• 64.187.99.112 is in AccelerateBiz network space, and we no longer talk to them. Considering that it is called 'mail.allfreebiestoyou.com', I don't think we're in any danger of missing anything important.
• 213.4.149.12 returns from last week and many times before.
• 209.60.190.123 and 66.18.132.101 kept trying with bad HELOs.
• 212.51.32.152 is a mundo-r.com machine, and we no longer accept email from them due to advance fee fraud webmail spam.

Connection time rejection stats:

  40610 total
  21905 dynamic IP
  13065 bad or no reverse DNS
   4207 class bl-cbl
    237 acceleratebiz.com
    127 dartmail.net
    123 class bl-njabl
    118 class bl-dsbl
    107 class bl-pbl
    100 class bl-sbl
     73 cuttingedgemedia.com
     69 postdirect.com
     68 edatis.net/edt02.net
     39 class bl-sdul

Here is a free hint for people trying get us to accept their email: putting sequence numbers in your domain names does not make you look good.

Technically, the highest SBL source this week is SBL51080 with 19 rejections, but this is just because 72.249.13.64/26 somehow got its listing removed some time during the week. Had it remained listed, it would have had 32 rejections.

(Because I am much less forgiving that the SBL, the otcpicksnewsN.com complex has now earned a place in our permanent blocks.)

Three of the top 30 most rejected IP addresses were rejected 100 times or more this week: 62.42.62.33 (714 times), 74.64.66.122 (290 times), and 24.105.197.53 (120 times). All of them are dynamic IP addresses. Ten of the top 30 are currently in the CBL, eight are currently in bl.spamcop.net, eleven are in the PBL, and a grand total of 14 are in zen.spamhaus.org.

(Locally, 14 were rejected as 'dynamic IP', eight were rejected for bad or missing reverse DNS, three were rejected for being on various DNS blocklists, three were rejected for being in AccelerateBiz network space, and there was one from Cutting Edge Media and one from edatis.net. It was a varied week for the top 30.)

This week Hotmail managed:

• 1 message accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 30 messages sent to our spamtraps.
• 1 message refused because its sender addresses had already hit our spamtraps.
• 5 messages refused due to their origin IP address (two in the CBL, two from the Cote d'Ivoire, and one in SBL44668, which dates from August 12th 2006).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	940	72	801	143
Bad bounces	57	29	27	20

The most active sources of bad HELOs were 216.103.66.186 (73 rejections) and 217.206.140.214 (70 rejections). The only spot of brightness is that at least fewer machines seem to be hitting us with bad HELOs.

Bad bounces were sent to 39 different bad usernames this week. The leading targets were two ex-users, but the dominant sort of target was usernames like ShawnOtto. A few went to usernames like marcievaughn, a few to other local past usernames, and there was one to a random jumble username. As with last week, Earthlink was the dominant source of bad bounces.

Weekly spam summary on April 7th, 2007

This week, we:

• got 13,022 messages from 240 different IP addresses.
• handled 18,021 sessions from 1,234 different IP addresses.
• received 169,572 connections from at least 5,382 different IP addresses.
• hit a highwater of 43 connections being checked at once.

Volume is about the same as last week, although evidently we got a big burst of connections some time this week.

Day	Connections	different IPs
Sunday	25,317	+8,613
Monday	22,832	+7,879
Tuesday	26,190	+7,763
Wednesday	26,237	+7,283
Thursday	31,179	+9,209
Friday	21,908	+7,302
Saturday	15,909	+5,333

This is surprisingly flat, with the exception of Thursday; I'm used to more day to day fluctuations.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.241.0/24       26291   1277K cox.net
68.230.240.0/24       18222    885K cox.net
205.152.59.0/24       14045    637K bellsouth.net
68.168.78.0/24        13151    631K adelphia.net
213.29.7.0/24         10280    617K centrum.cz
213.4.149.12          10174    529K
216.40.35.71           9019    433K
72.249.13.82           8135    447K
216.40.35.67           4854    233K
216.40.35.70           3966    254K

This is about the same as last week, although this week all of the top five spots were claimed by advance fee fraud spam webmail senders; as with last week, I put them in the kernel level blocks early on.

• 213.4.149.12 and 72.249.13.82 return from last week. I note with interest that 72.249.13.82 is now in SBL53250, attributed to a 'Mesa Media'; I always like having my suspicions confirmed about blocks.
• 216.40.35.71, 216.40.35.67, and 216.40.35.70 are all part of 'webmaillogin.com', which we no longer accept email from after it sent us advance fee fraud spam (just like pretty much every other free webmail provider out there).

This is a rather depressing set of top ten IP addresses, and I think it illustrates the degree to which advance fee fraud spam has risen to be a serious problem.

Connection time rejection stats:

  45752 total
  24453 dynamic IP
  15061 bad or no reverse DNS
   4610 class bl-cbl
    261 class bl-pbl
    182 class bl-dsbl
    131 class bl-njabl
     82 cuttingedgemedia.com
     73 class bl-sdul
     69 reliablehosting.com
     64 midtowndeals.com
     54 acceleratebiz.com
     50 class bl-sbl

The highest SBL source this week was SBL52928 with 14 rejections (a hijacked server used to send spam), then SBL51080 with 8 rejections (a phish source).

Fourteen of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader was 76.176.53.227 (216 times, a rr.com cablemodem). Seven of the top 30 are currently in the CBL, only two are currently in bl.spamcop.net, 8 are in the PBL, and a grand total of 15 are in zen.spamhaus.org.

(Locally, 15 were rejected as 'dynamic IP', 11 were rejected for bad or missing reverse DNS, one was a cuttingedgemedia.com machine, one was a reliablehosting.com machine, and there was a smattering of other reasons.)

This week, Hotmail managed:

• 1 message accepted, probably not spam (but then, it wasn't from Hotmail itself).
• 1 message rejected because it came from a non-Hotmail email address (a msn.com one, in this case).
• 33 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 6 messages refused due to their origin IP address (three in the CBL, one from SBL38278, a listing from February 22nd 2006, one from Nigeria, and one from saix.net).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	801	143	714	83
Bad bounces	27	20	37	22

The most active source of bad HELOs was 69.15.68.98 (70 rejections), followed by 70.19.117.14 (56 rejections). The bad HELO numbers are up compared to last week, but not hugely.

Bad bounces were sent to 25 different bad usernames this week; the most popular destinations at two attempts each were noreply and the made up username bridgetteswanson. About half the total bounces went to usernames like ShannonMueller, followed by a number of previously existing local usernames, and finally a few things like sandychampion.

Earthlink.net was the largest source of bad bounces, sending to both sorts of the firstname plus lastname bad usernames. The remaining bad bounces came from all over, with no particular pattern.

(I am sort of puzzled that we didn't get more bad bounces. While the spammers are clearly forging our domain on MAIL FROM addresses, they apparently aren't doing it on very much of their spam.)

Why charging for email won't do what people want

One of the common suggestions for fixing the email spam problem is to charge a small (often nominal) fee for email. Ignoring all of the problems with implementing such a scheme, and ignoring all of the people who would be violently against it, we can ask an important question: would it actually work?

Let's turn that around and ask the reverse question: has charging for paper mail stopped paper mail spam? Clearly the answer is no; most people get lots of junk mail, despite the senders having to pay for it.

Senders are willing to pay to send their junk mail (and to distribute fliers and so on) because the response rate is worth it. Since contemplated rates for email are at least an order of magnitude smaller than postal costs, charging for email can only avoid spam if response rates to email campaigns are vastly lower than for regular bulk mail ones, and I see no reason why that would be so.

(The other way to look at it is to ask what organizations would pay in order to reach people. For example, at one tenth of a cent per email, it's only $100 to reach 100,000 people; this is chump change to a marketing campaign. At that level people will spend the money just to see if their latest idea works out.)

The one thing that charging for email would do is kill off ISP level spam filtering, because no one is stupid enough to pay ISPs to accept email and then let them just throw it away. If organizations have to pay for sending email, they're going to rightfully insist on actual delivery and so all of your spam filtering is going to have to move to your client; ISPs will become much more like the postal service, stuffing your mailbox with anything they've been paid for.

You can also expect the rates to go up. Once they have to deliver all email, no ISP is going to charge less to receive it than their actual costs, and I suspect that the fully loaded costs are more than a tenth of a cent per email.

In short, charging for email commercializes it. Once it's commercialized, you can expect the interests of the people paying the money, ie the people sending email, to take over. And, as always, the interests of the people sending email are not the same as the interests of the people receiving it.

(You would get a different sort of email spam as a result of this; much more from DMA members, much less from discount pharmacies promoting potency aids.)

Weekly spam summary on March 31st, 2007

This week, we:

• got 12,348 messages from 259 different IP addresses.
• handled 17,799 sessions from 1,226 different IP addresses.
• received 171,239 connections from at least 53,794 different IP addresses.
• hit a highwater of 28 connections being checked at once.

Somewhat to my surprise, volume is down again from last week, although the concurrent connections highwater is up a lot.

Day	Connections	different IPs
Sunday	24,671	+9,666
Monday	28,038	+8,584
Tuesday	26,683	+8,159
Wednesday	22,651	+5,508
Thursday	30,976	+9,417
Friday	21,879	+6,873
Saturday	16,341	+5,587

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.241.0/24       21236   1031K cox.net
213.29.7.0/24         17748   1065K centrum.cz
205.152.59.0/24       15832    718K bellsouth.net
68.230.240.0/24       13549    658K cox.net
213.4.149.12          13506    702K
68.168.78.0/24         9359    449K adelphia.net
72.249.13.82           8992    494K
72.249.13.84           5195    286K
72.54.120.137          4553    219K
72.249.13.83           4264    235K

By contrast, our kernel packet filtering blocks are up significantly from last week, partly because I was aggressive about throwing blocked advance fee fraud webmail sources into the kernel filters early on. As a result of this, blocked webmail sources account for half the top ten, and all four of the top spots. (To save space, I've just annotated the main listing with who each /24 belongs to.)

• 213.4.149.12 and 72.249.13.82 return from last week.
• 72.249.13.84 and 72.249.13.83 kept trying to send us email from the user name do_not_reply at a domain with temporary DNS failures. For that extra encouragement to accept their email, the machines HELO'd as otcpicksnews4.com and otcpicksnews3.com respectively.
• 72.54.120.137 kept trying with a bad HELO name.

A note to people: if you want to look straightforward and innocent, don't give your machines separate domain names that vary only in their trailing digits, and especially don't try to send email from them with the same SMTP MAIL FROM. Because there are really not that many innocent explanations for why you would need your outgoing email pool machines to have different domain names.

Connection time rejection stats:

  48510 total
  26705 dynamic IP
  16564 bad or no reverse DNS
   3814 class bl-cbl
    204 class bl-sbl
    180 class bl-dsbl
    161 acceleratebiz.com
    110 class bl-pbl
    109 dartmail.net
     74 cuttingedgemedia.com
     71 class bl-njabl
     43 class bl-sdul

The highest SBL sources this week are a rerun of last week: first SBL52715 with 149 rejections, then SBL50181 with 22. I'd find it striking, but mostly I find it depressing.

Seventeen of the top 30 most rejected IP addresses this week were rejected 100 times or more; the leader is 201.244.113.194 (237 rejections, for having bad reverse DNS). Eleven of the top 30 are currently in the CBL, 3 are currently in bl.spamcop.net, eight are in the PBL, and a grand total of 16 are in zen.spamhaus.org.

(Locally, 18 were rejected as 'dynamic IP', 11 were rejected for bad or missing reverse DNS, and one was a cuttingedgemedia.com machine.)

This week's Hotmail numbers are:

• 3 messages accepted, at least two of which were almost certainly spam.
• no messages rejected because they came from non-Hotmail email addresses.
• 36 messages sent to our spamtraps.
• 1 message refused because its sender address had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one in SBL44668, a listing from August 12th 2006, and one from Burkina Faso).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	714	83	561	81
Bad bounces	37	22	2	2

Well, so much for the nice numbers on bad bounces from last week. In better news, no particularly source of bad HELOs stood out, and the most active one, 74.62.160.117, only had 52 rejections.

Bad bounces were sent to 22 different bad usernames this week, with the most popular being noreply with 10 attempts. Most of the bad usernames were at least not random, and some of them were for past local users; there were a fair number of usernames like trinawebber that were trying for plausible first name plus last name.

The most prolific source of bad bounces is an ISP in Bulgaria, followed by Earthlink. The remaining bad bounces come from all over, including a well-named machine called 'mail.victim.com' (72.1.148.50).