Wandering Thoughts archives

Weekly spam summary on May 26th, 2007

Unfortunately, our SMTP frontend restarted sometime Friday, so I only have some statistics up until Friday morning. That said, this week we:

• got 10,439 messages from 277 different IP addresses.
• handled 18,746 sessions from 1,402 different IP addresses.
• received 137,918 connections from at least 49,448 different IP addresses up until Friday at 4am.
• hit a highwater of 9 connections being checked at once.

Mashing some data around suggests that the total connection volume over the entire week is at least 165,164 connections, which would put us somewhat up from last week. It's possible that Friday saw a major surge of connections that were not captured in various things.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          32661   1697K
205.152.59.0/24       23363   1059K bellsouth.net
213.29.7.0/24         15685    940K centrum.cz
68.230.240.0/23       14168    688K cox.net
216.75.6.165           9211    442K
68.168.78.0/24         7787    374K adelphia.net
67.126.132.83          7170    344K
209.159.39.221         3917    235K
212.175.13.129         3807    228K
193.70.192.0/24        2978    134K iol.it

Overall volume is down from last week, which I consider good. Unfortunately but predictably, I don't think the advance fee fraud spam webmail sources are doing much about their problem yet.

• 213.4.149.12, mailhost.terra.es, returns from last week and many weeks before.
• 216.75.6.165 and 209.159.39.221 return from last week.
• 67.126.132.83 does not technically return from last week because it was not in the kernel packet filtering list then, but it was the top bad HELO source then and this time it made the top ten.
• 212.175.13.129 was also listed for repeatedly trying a bad HELO, and returns from early January.

Connection time rejection stats:

  44597 total
  24119 dynamic IP
  14810 bad or no reverse DNS
   4267 class bl-cbl
    249 qsnews.net
    241 class bl-pbl
    152 dartmail.net
    137 acceleratebiz.com
     88 class bl-sbl
     82 class bl-dsbl
     80 class bl-sdul
     40 class bl-njabl
     30 216.75.6.0/24

The highest source of SBL rejections this week was SBL51583 with 22 rejections; it is a listing from February 23rd for a hijacked 'serverkompetenz.net' machine. The next highest source (at 18 rejections) is for an IP address that has now been removed from the SBL; I suspect that it was a hijacked machine that got cleaned up.

Five of the top 30 most rejected IP addresses were rejected 100 times or more this week; the champion is 41.204.70.129 (326 rejections, for bad or missing reverse DNS), followed by 216.213.172.11 (228 rejections, qsnews.net), 65.240.228.69 (191 rejections, in the CBL), 83.26.3.82 (162 rejections, a tpnet.pl ADSL customer), and 88.238.114.36 (145 rejections, for bad or missing reverse DNS).

(Checking what else is hanging out in 216.213.172.0/24, I am somehow not surprised to find signs of otcpicksnews.com.)

Eleven out of the top 30 most rejected IP addresses are currently in the CBL, two are in the SBL (213.154.88.179 is in SBL21134 and SBL43951, a /23 and a /22 listing for advance fee fraud from Senegal that date from May and July of 2006, and 213.154.94.143 is in SBL21129, another listing for Senegal advance fee fraud spam sources, this time dating from November 2004), seven are currently in bl.spamcop.net, eighteen are in the PBL, and a grand total of 21 out of the 30 are in zen.spamhaus.org. Lest I become too enthused about zen.spamhaus.org agreeing with me, only six of our top ten are in it.

(Locally, 15 were rejected as dynamic IP addresses, 13 for having bad or missing reverse DNS, one for being qsnews.net, and one for being in the CBL.)

This week, Hotmail had:

• 4 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 36 messages sent to our spamtraps.
• 1 message refused because its sender address had already hit our spamtraps.
• 6 messages refused due to their origin IP address (two from the Cote d'Ivoire, one in the CBL, one in SBL33810, one from Nigeria, and one from saix.net).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	624	92	769	62
Bad bounces	190	94	52	25

There was no particular active bad HELO source this week (probably partly because I blocked some of them early).

Bad bounces were sent to 173 different bad usernames this week, with the most popular one being raebynum with five attempts. The bad usernames are all over the map this week, but the most popular sort seems to be things like JewelZavala. For amusement, there was one attempt to deliver a bounce to the username user. Bounces came from all over, with Verizon and Earthlink still up in the list but being challenged by sites in the Far East (including Japan and Taiwan), Australia, and various other places.

The risks of spam filtering (part 1)

While spam filtering is 'dangerous' in that it can trigger on legitimate email, incorrectly classifying it as spam, there are different levels of dangerousness depending on what you do as a result of things triggering. In increasing levels of danger, there are three general things that people do:

1. reject the email message during the SMTP conversion.
2. discard the email message.
3. bounce the email message back to the alleged sender.

The danger of the second option is obvious: the sender of a legitimate email message receives no indication that their email didn't reach the recipient. To them it looks just as if the recipient got it and is ignoring it, while to the recipient it looks like they never sent it in the first place.

The first and the third options both let senders of legitimate email know when their email didn't go through. The problem with the third option, and why it is the worst, is what happens with properly identified spam email. Most spam emails have forged sender information, which means that your mail server will be deluging innocent bystanders with what is effectively spam (to them); in the trade this is known as backscatter and makes people increasingly irate.

(Because of how spammers currently operate, rejecting email during the SMTP conversation is far less likely to do this, and if it does happen anyways it's not your fault because it's not your machine that is sending the bounces.)

Some spam filtering techniques don't explicitly reject email messages during SMTP conversations, but have a failure mode where your mail system never actually accepts the email and the sender's mail system eventually gives up on the message; the most well-known technique that can do this is greylisting. This is equivalent to rejecting the email during the SMTP conversation and has the same effects; if the sender is legitimate, they'll get a message that their email didn't go through, and if it's a spammer the message will probably just silently disappear.

(This is not unique to spam filtering; because modern mail systems insist that the domain of the sender address actually exists, persistent DNS issues can cause a similar 'defer until the sending machine times out the message' failure.)

Weekly spam summary on May 19th, 2007

This week, we:

• got 10,112 messages from 256 different IP addresses.
• handled 17,652 sessions from 1,101 different IP addresses.
• received 154,723 connections from at least 52,588 different IP addresses.
• hit a highwater of 10 connections being checked at once.

Volume is definitely down compared to last week, although the connection highwater is the same. In fact I believe this is about the lowest it's been in a while. The per day table is pretty flat:

Day	Connections	different IPs
Sunday	21,494	+8,681
Monday	23,915	+7,719
Tuesday	24,752	+8,314
Wednesday	19,784	+6,416
Thursday	24,210	+7,165
Friday	22,797	+7,834
Saturday	17,771	+6,459

Wednesday stands out so much that I find myself wondering if we had some sort of Internet connectivity interruption then. (Not that I noticed.)

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          40667   2115K
81.29.198.11          27795   1667K
205.152.59.0/24       23790   1078K bellsouth.net
68.230.240.0/23       23148   1124K cox.net
68.168.78.0/24        14972    719K adelphia.net
213.29.7.0/24         12577    754K centrum.cz
216.75.6.165           8532    409K
61.9.154.105           6427    308K
61.9.149.224           5621    270K
209.159.39.221         5184    311K

The big advance fee fraud spam webmail sources did not so much drop as get displaced by other, more active places; kernel rejection volume is up significantly from last week.

• 213.4.149.12, mailhost.terra.es, returns from last week and many previous weeks.
• 81.29.198.11 is blocked for being a phish spam source.
• 216.75.6.165 returns from last week, still in a /24 apparently colonized by a spammer.
• 61.9.154.105 and 61.9.149.224 were rejected for being bigpond.net.au generic customers, and on checking I see that they are both on the CBL and one is even SBL54740.
• 209.159.39.221 is in the SORBS DUL.

Connection time rejection stats:

  39266 total
  19977 dynamic IP
  13568 bad or no reverse DNS
   4192 class bl-cbl
    382 qsnews.net
    172 class bl-dsbl
    115 class bl-sdul
    113 acceleratebiz.com
    110 class bl-pbl
     93 dartmail.net
     69 reliablehosting.com
     51 class bl-njabl
     48 class bl-sbl
     35 216.75.6.0/24

The highest source of SBL rejections this week is SBL30718 at 11 rejections (a Septh 4th 2005 /24 listing for too much advance fee fraud spam), followed by SBL50181 at 10 rejections (microcamp.com.br, which we've seen many times before). It's kind of depressing that even the SBL hasn't been able to get these people to take notice and fix their problems.

Only one of the top 30 most rejected IP addresses was rejected 100 times or more this week: 216.213.172.11, part of our qsnews.net block, was rejected 300 times. Seven out of the top 30 are currently in the CBL, eighteen are currently in bl.spamcop.net, fifteen are in the PBL, and a grand total of 19 are in zen.spamhaus.org.

(Locally, 21 were rejected as dynamic IP addresses, 4 for having bad or missing reverse DNS, three for being from places we don't want to talk to any more, and one for being in the SORBS DUL and one for being in the DSBL.)

This week Hotmail had:

• no messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 53 messages sent to our spamtraps.
• 5 messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one in the CBL and one from Senegal).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	769	62	1833	172
Bad bounces	52	25	452	423

This is a welcome decline from last week. The leading source of bad HELOs was 67.126.132.83 (97 tries), followed by 202.64.172.140 and 65.75.64.3 (each with 70 tries).

Bad bounces were sent to 50 different bad usernames this week, with the most popular being a tie between yuri0814 and JeanChang at two each. Bad usernames like LamarByrne completely dominated the list, with only one ex-user and a few things like khw and a-k511. This week Verizon totally dominates as the origin, with softbank.ne.jp and Earthlink more or distantly tied for the second spot.

Weekly spam summary on May 12th, 2007

This week, we:

• got 11,570 messages from 275 different IP addresses.
• handled 20,679 sessions from 1,692 different IP addresses.
• received 186,687 connections from at least 62,023 different IP addresses.
• hit a highwater of 10 connections being checked at once.

Well, so much for the trend of decreasing volume; all of these are up noticeably from last week. The per day table suggests that this may have been mostly in the start of the week:

Day	Connections	different IPs
Sunday	26,438	+10,319
Monday	37,739	+10,616
Tuesday	31,307	+9,414
Wednesday	23,956	+8,468
Thursday	23,379	+7,934
Friday	25,344	+7,974
Saturday	18,524	+7,298

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       34227   1662K cox.net
213.4.149.12          26247   1365K
205.152.59.0/24       20422    926K bellsouth.net
68.168.78.0/24        14991    720K adelphia.net
213.29.7.0/24         11017    661K centrum.cz
216.75.6.165           6111    293K
67.103.186.2           5545    255K
76.204.233.194         4728    221K
65.175.90.190          3964    217K
195.5.254.0/24         3941    216K nerim.net

The total volume is about the same as last week, but it has definitely shifted around significantly; I am pleased that some of the advance fee fraud webmail sources seem to be dropping down the table.

• 213.4.149.12, mailhost.terra.es, reappears from last week and many previous appearances.
• 216.75.6.165 is someone we've never heard from before who was blocked for being in the same /24 as a spammer. As I commented last week, it's amazing how often this smokes out more interesting people; you would think that spammers buy a bunch of hosting from an ISP all at once, or something.
• 67.103.186.2 and 76.204.233.194 are both IP addresses that we classify as dynamic IPs.
• 65.175.90.190 reappears from late April, and was blocked for the same reason now as then: it kept trying to send stuff that had already tripped our spamtraps.

Connection time rejection stats:

  45538 total
  25346 dynamic IP
  14123 bad or no reverse DNS
   4404 class bl-cbl
    319 qsnews.net
    145 class bl-dsbl
    122 class bl-pbl
    110 acceleratebiz.com
    104 dartmail.net
    103 216.75.6.0/24
     96 Yesmail
     70 reliablehosting.com
     93 class bl-njabl
     77 class bl-sbl
     64 class bl-sdul

It is either depressing or encouraging how little gets blocked by all the DNS blocklists except the CBL; with some small exceptions, spamming us from dedicated network space is basically dead.

The highest source of SBL rejections this week is SBL53722 at 18 rejections (an April 19th listing for cavtel.net, an active advance fee fraud spam source), followed by SBL53319 at 17 rejections (a May 1st listing for 'inhoster.com', apparently a major source of spam and spam/cybercrime website hosting) and SBL50181 at 15 (microcamp.com.br appearing yet again, as it did last week).

Five of the top 30 most rejected IP addresses were rejected 100 times or more this week, with the leader being 62.42.62.93 (an onolab.com dynamic IP address), which was rejected 923 times. Eight of the top 30 are currently in the CBL, seven are currently in bl.spamcop.net, ten are currently in the PBL, and a grand total of only thirteen of the thirty are currently in zen.spamhaus.org.

(Locally, 17 were rejected as dynamic IP addresses, 6 for having bad or missing reverse DNS, 5 for being from various places we don't want to talk to, and two for being in the DSBL.)

This week Hotmail had:

• 2 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 38 messages sent to our spamtraps.
• 11 messages refused because their sender addresses had already hit our spamtraps.
• 7 messages refused due to their origin IP address (two from Senegal, two from the Cote d'Ivoire, one in the CBL, one from Nigeria, and one from saix.net).

(As it turns out, two of the country rejections are now also on the CBL, although they were not at the time we rejected the email from Hotmail.)

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1833	172	674	55
Bad bounces	452	423	42	23

Well, talk about an explosion in both sets of numbers. The leading source of bad HELOs this week is 66.18.49.218 (85 tries), followed by 87.86.107.83 (72 tries), 64.45.239.234 (also 72 tries), and 67.136.247.97 (71 tries).

Bad bounces were sent to 52 different bad usernames this week; the most popular was ifn at 50 attempts, followed by akz (47), oihfn (43), rrs (40), and quite a number of others with more than one hit. Random letter jumbles (mostly three characters long) pretty much took over the list of target usernames, and the sources cme from all over, although Earthlink continues to be a popular source.

Weekly spam summary on May 5th, 2007

This week, we:

• got 11,805 messages from 264 different IP addresses.
• handled 19,470 sessions from 1,321 different IP addresses.
• received 170,583 connections from at least 62,048 different IP addresses.
• hit a highwater of 11 connections being checked at once.

We had more sessions and more IPs connecting to us this week than last week but less total connections, and your guess is as good as mine as to what it really means (if anything).

Day	Connections	different IPs
Sunday	21,310	+8,843
Monday	32,292	+13,696
Tuesday	23,799	+8,856
Wednesday	22,444	+6,896
Thursday	25,018	+8,174
Friday	28,093	+9,787
Saturday	17,627	+5,796

This week Monday and Friday were the big days, with a run-down on Tuesday and a run-up on Thursday.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       34228   1662K cox.net
206.123.109.0/27      20656   1135K otcpicknews
213.4.149.12          19454   1012K
205.152.59.0/24       18745    850K bellsouth.net
68.168.78.0/24        13503    648K adelphia.net
213.29.7.0/24          9039    542K centrum.cz
202.154.224.43         7387    443K
195.5.254.0/24         4216    231K nerim.net
200.68.116.133         4163    200K
67.53.104.2            4000    192K

Since the otcpicknews.com people are still at it, I've now awarded them their very own permanent kernel block entry. Otherwise, volume is up somewhat from last week, and this week sees the addition of nerim.net to our rolling 'too much bad stuff' /24 blocks; they kept retrying stuff that had already tripped our spamtraps from an ever-changing set of hosts in that /24, and I got tired of shooting them down one by one.

• 213.4.149.12 returns from last week, still mailhost.terra.es.
• 202.154.224.43 kept trying to send email with an origin address that had already tripped our spamtraps (probably advance fee fraud spam).
• 200.68.116.133 has bad reverse DNS information.
• 67.53.104.2 kept trying with a bad HELO.

It is pretty striking and depressing that the top ten is more than half network blocks this week, most of them blocked for excessive amounts of advance fee fraud spam.

Connection time rejection stats:

  39579 total
  21321 dynamic IP
  12543 bad or no reverse DNS
   4225 class bl-cbl
    204 class bl-pbl
    119 qsnews.net
    108 acceleratebiz.com
    105 216.75.6.0/24
    104 class bl-dsbl
     99 class bl-sbl
     96 otcpicknews.com
     95 class bl-njabl
     74 class bl-sdul
     24 verticalresponse.com

I note in passing how startlingly common it is for me to block the /24 a spammer hit us from and magically have that /24 light up in our stats, with connection attempts from all sorts of oddly named machines that we've never heard of before.

The highest source of SBL rejections this week is the same as last week: SBL49395 at 27 hits, a /24 listing for swishmail.com from December 23rd. Following it is SBL50181 with 23 rejections (microcamp.com.br's compromised web server, which has made the list several times before), and SBL52705 with 14 rejections (an advance fee fraud spam source listed March 23rd).

Only one of the top 30 most rejected IP addresses was rejected 100 times or more this week: 62.42.51.127, an onolab.com dynamic IP address, was rejected 241 times. Nine of the top 30 are currently in the CBL, one is in SBL34922, three are currently in bl.spamcop.net, seven are in the PBL, and a not so grand total of 11 of the 30 are in zen.spamhaus.org.

(Locally, 10 were rejected as dynamic IP addresses, 9 for having bad or missing reverse DNS, 7 for being from various places we don't want to talk to, two for being in the CBL, one for being in the NJABL, and one for being in the DSBL.)

This week Hotmail achieved:

• 2 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 34 messages sent to our spamtraps.
• 1 message refused because its sender addresses had already hit our spamtraps.
• 3 messages refused due to their origin IP address (one in the CBL, one from the Cote d'Ivoire, and one from Burkina Faso).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	674	55	699	69
Bad bounces	42	23	125	57

The leading bad HELO source is 67.52.252.210, with 73 tries.

Bad bounces were sent to 36 different bad usernames this week, which is coincidentally the same number as last week; the most popular was nutvmme, with 3 attempts. Usernames like ClydeCall continue to be the most popular variety, sprinkled with valid ex-users, some a few things like kenburr, and random jumbles. This week, Earthlink is the leading source of bad bounces, with additional contributions from all over.