Wandering Thoughts archives

Weekly spam summary on June 30th, 2007

This week, we:

• got 10,108 messages from 265 different IP addresses.
• handled 22,107 sessions from 2,055 different IP addresses.
• received 271,991 connections from at least 75,816 different IP addresses.
• hit a highwater of 13 connections being checked at once.

Volume is definitely up from last week. As the per day table illustrates, spammers seem to still prefer Wednesday for their big day:

Day	Connections	different IPs
Sunday	30,361	+10,541
Monday	33,717	+10,522
Tuesday	48,138	+13,716
Wednesday	53,070	+12,528
Thursday	36,163	+10,467
Friday	39,189	+10,501
Saturday	31,353	+7,541

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          48724   2534K
205.152.59.0/24       18437    836K bellsouth.net
206.123.109.0/27      17088    944K otcpicknews.com
68.230.240.0/23       16148    784K cox.net
68.167.174.246        12468    584K
199.239.248.157       11273    556K
68.168.78.0/24        10395    499K adelphia.net
64.191.86.69           5511    331K
208.108.197.97         4850    266K
209.16.79.66           4122    198K

Here too volume is up from last week, although not as much.

• 213.4.149.12 returns from last week and many prior appearances, once again showing no signs of giving up.
• 68.167.174.246 also returns from last week. As it happens, they appear to be 'thegrantinstitute.com' (according to their SMTP banner), which is someone we don't want to talk to anyways.
• 199.239.248.157 kept trying to send us phish spam.
• 64.191.86.69 is in hostnoc.net space and doesn't have working reverse DNS.
• 208.108.197.97 kept trying to send mail with an origin address that had already tripped our spamtraps.
• 209.16.79.66 kept trying a bad HELO.

Connection time rejection stats:

  85848 total
  48063 bad or no reverse DNS
  30626 dynamic IP
   5052 class bl-cbl
    318 class bl-pbl
    249 qsnews.net
    164 dartmail.net
    110 class bl-dsbl
     96 class bl-sdul
     85 class bl-sbl
     42 216.75.6.0/24
     30 class bl-njabl

The highest source of SBL rejections this week was technically 200.221.11.147 with 16 rejections, but their SBL record has already been removed; since this is zipmail.com.br, I will speculate wildly that they were listed for sourcing lots of advance fee fraud spam, which is certainly why we don't talk to them. After that was SBL56008 with 13 rejections and SBL53722 with 10 rejections; both of them seem to have been listed as advance fee fraud spam sources.

Nine of the top 30 most rejected IP addresses were rejected 100 times or more; the champion is 202.61.62.248 (1,296 rejections), followed by 202.196.43.168 (750 rejections), 189.130.216.253 (437 rejections, bad), 189.130.216.241 (362 rejections), and 189.130.216.208 (178 rejections). All of them were rejected for bad or missing reverse DNS, but except for 202.196.43.168, of them are also on either or both of the CBL and the PBL.

Thirteen of the top 30 are currently in the CBL, two are in the SBL (in SBL55457 and SBL52160, which is a depressing March 22nd listing of a Chinese /18 for spammer hosting), five are currently in bl.spamcop.net, eleven are in the PBL, and a grand total of 17 are in zen.spamhaus.org.

(Locally, 22 were rejected for bad or missing reverse DNS, 4 for being dynamic IPs, and 4 for being various people we don't want to talk to.)

This week, Hotmail had:

• 5 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 39 messages sent to our spamtraps.
• 3 messages refused because their sender addresses had already hit our spamtraps.
• 13 messages refused due to their origin IP address (eight in the CBL, two in SBL21128, one in SBL47233, one from Nigeria, and one from Burkina Faso).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	4120	240	1072	136
Bad bounces	688	527	327	194

Things got bad this week. While I expected to find a big source or two of bad HELOs, the leading source this week was 66.55.8.242 with only 132 attempts, followed by 71.35.254.126 (83). Apparently there were just more people this week in the 30 to 60 attempts range.

Bad bounces were sent to 276 different bad usernames this week, with the most popular one by far being jtpnu with 130 attempts, followed by hvd with 68, pnu with 61, tpnu with 58, dnwga with 35, and vdnw with 31. Various patterns show up, including a surprising number that look Japanese, and to be generic there was a fred and a hello-everybody (along with a few ex-users).

Why forwarding all email for users is dangerous

The problem with forwarding all email for users is that much of the time you wind up forwarding spam email as a result, sometimes a great deal of it. That is: your mail servers wind up sending spam email, often a lot of it, to the places that your users have forwarded their emails. There are two consequences of this.

First, these days large Internet providers like Yahoo don't care why you're sending them spam, they just care that you are. When you do send them spam, they react to it by slowing down or stalling all of your email to them in various ways. Which means that all email from your local users to people on Yahoo (or wherever) is going to get delayed (or sometimes outright refused).

Second, a number of places now outright reject spam and viruses at SMTP time. When your users forward their email to such a place, the net result is that you wind up sending bounces back to the claimed origin of the spam, which is almost always forged. There's a term for that these days: backscatter. It's not a good thing.

Not allowing users to forward their email is not an option in a university environment, so the best way we currently have to deal with this is to strongly encourage our users to only forward their non-spam email. We also make sure that our bounces come from a separate machine than regular user email gets sent out from.

(For both political and technical reasons we can't currently reject spam at SMTP time here.)

A small update on comment spammer behavior

Back in CommentSpammerBehavior I wrote that checking the HTTP Referer header wasn't worthwhile because everyone got it right. That is no longer true; a significant number of comment spam attempts come from some group that is using HTTP Referer headers of the (illegal) form 'URL1, URL2, ..., MyURL' (where MyUrl is the URL of my 'write a comment' form); the number of URLs varies.

(A few times they have left out the spaces after the commas, making their Referer values technically legal.)

Most of the URLs are of other blogs, guestbooks, or bulletin boards that are encrusted with spam, but every so often the spammers will throw in one that isn't, apparently picked at random.

All of the machines in the past 28 days or so use a User-Agent of:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MyIE2; Maxthon)

Also over the last month, this group of spammers seems to be the only thing using this user-agent string. Some Google searching suggests that places like Project Honeypot are also seeing activity from this group, some of them from IPs that have been doing this for quite a while (see, eg, here, and I have to say the Project Honeypot uses really long URLs).

After some checking, less than 20% of the IP addresses from the last month are listed in xbl.spamhaus.org, although a couple of them are SBL listed; interesting, one of the SBL listed IPs is in IP address space said to belong to the ROKSO-listed 'Hong Chen / YonHen Internet Marketing Center'.

(The other SBL listings are for 195.175.37.70 and 195.175.37.71, in SBL52252 and SBL54789 as known open and actively abused proxies.)

Fortunately, blocking this group is embarrassingly easy. Also fortunately (or unfortunately) they're not very prolific, making maybe 20 attempts a day and hitting only two entries.

(I have a certain peculiar affection for prolific but easily blocked comment spammers; it warms the cockles of my black heart to see them fail over and over again.)

Weekly spam summary on June 23rd, 2007

This week, we:

• got 10,190 messages from 259 different IP addresses.
• handled 18,093 sessions from 1,527 different IP addresses.
• received 223,304 connections from at least 76,627 different IP addresses.
• hit a highwater of 10 connections being checked at once.

This is up a bit from last week in both connection volume and the number of different IPs trying to talk to us.

Day	Connections	different IPs
Sunday	26,556	+10,547
Monday	36,931	+12,843
Tuesday	33,743	+12,127
Wednesday	40,667	+13,267
Thursday	28,317	+9,957
Friday	31,912	+9,897
Saturday	25,178	+7,989

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       32271   1566K cox.net
213.4.149.12          21370   1109K
205.152.59.0/24       21336    966K bellsouth.net
68.168.78.0/24        12143    581K adelphia.net
206.123.109.0/27      11948    662K
72.249.13.81           9476    528K
203.204.118.61         8723    519K
213.4.149.11           4182    217K
68.167.174.246         4062    190K
212.216.176.0/24       3511    169K tin.it

Volume is about the same as last week. The 206.123.109.0/27 netblock is blocked because of otcpicknews.com et al; I put them in the kernel blocks after I got tired of them hammering on us.

• 213.4.149.12 and 213.4.149.11 return from last week and many previous appearances.
• 72.249.13.81 is beaconresearchnews.com. We have decided that we don't want to talk to them.
• 203.204.118.61 aka 50-off.com.tw is in SBL49970, which dates from 11 January 2007.
• 68.167.174.246 is something we consider a dynamic IP address.

Connection time rejection stats:

  65450 total
  29813 dynamic IP
  28601 bad or no reverse DNS
   5249 class bl-cbl
    315 qsnews.net
    232 class bl-pbl
    142 class bl-sbl
    141 beaconresearchnews.com
    125 class bl-dsbl
    120 dartmail.net
     85 class bl-sdul
     43 216.75.6.0/24 aka IBS Hosting Corp
     37 class bl-njabl

The highest source of SBL rejections this week was SBL55809 with 33 rejections, followed by SBL50728 with 26 and SBL49970 with 23 rejections. All of them are listed as spam sources, with various degrees of involvement in the spam imputed in the SBL listings.

Nine of the top 30 most rejected IP addresses were rejected 100 times or more; the grand champion is 203.156.70.57 with 1,840 rejections (for having no reverse DNS). Dishonorable mentions must also go to 189.171.181.218 (716 rejections, bad reverse DNS and in the CBL and PBL) and 201.79.147.166 (360 rejections, bad reverse DNS, merely in the PBL). Six of the top 30 are currently in the CBL, eleven are currently in bl.spamcop.net, thirteen are in the PBL, and a grand total of 17 are in zen.spamhaus.org.

(Locally, 16 were rejected for bad or missing reverse DNS, 9 for being dynamic IPs, three for being people we didn't want to talk to, and one each for being in the PBL and the DSBL.)

This week, Hotmail had:

• 4 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 40 messages sent to our spamtraps.
• 3 messages refused because their sender addresses had already hit our spamtraps.
• 4 messages refused due to their origin IP address (one in the CBL, one in SBL51849, one from Burkina Faso, and one from a South African wireless company).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1072	136	1557	118
Bad bounces	327	194	185	141

The leading source of bad HELOs this week was 70.147.170.18 (111 rejections), followed by 207.30.12.132 (81 rejections) and 69.15.68.98 (77 rejections). The latter two used HELO names ending in .local, as did any number of other lower-scoring people.

Bad bounces were sent to 262 different bad usernames, with the most popular one being VirginiaPerkins with 10 attempts. This bad username pattern dominated the overall most popular pattern, with only a few other patterns showing up (including a few old ex-users). Bounces came from all over, with no particular large single source that I can pick out right now.

Weekly spam summary on June 16th, 2007

This week, we:

• got 10,437 messages from 238 different IP addresses.
• handled 19,475 sessions from 1,336 different IP addresses.
• received 213,499 connections from at least 71,964 different IP addresses.
• hit a highwater of 8 connections being checked at once.

This is down from last week on the absolute numbers, but may be up somewhat if we exclude the effects of the one prolific connector from last week's numbers. On the other hand, the per day numbers are floating all over the map:

Day	Connections	different IPs
Sunday	29,880	+12,325
Monday	32,009	+11,720
Tuesday	26,008	+8,842
Wednesday	28,879	+8,772
Thursday	40,321	+11,547
Friday	31,229	+10,212
Saturday	25,173	+8,546

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       30243   1469K cox.net
205.152.59.0/24       23438   1063K bellsouth.net
213.4.149.12          20606   1075K
68.168.78.0/24        13129    630K adelphia.net
70.22.152.139          8783    411K
216.244.151.246        8629    518K
213.4.149.11           8429    438K
72.244.103.211         8220    384K
71.140.111.241         4791    224K
74.15.184.141          4128    193K

This is down from last week, and also only a few bad webmail sources have made the top ten this time around; for once, most of them are individual IPs.

• 213.4.149.12 and 213.4.149.11 return from last week and many previous engagements.
• 70.22.152.139 is in NJABL.
• 216.244.151.246 was in the SBL, but the listing has been removed since it started banging on the door.
• 72.244.103.211 is something we consider a dynamic IP, and returns from two weeks ago.
• 71.140.111.241 kept trying to send us phish spam that had already tripped our spamtraps.
• 74.15.184.141 kept trying with a bad HELO name.

Connection time rejection stats:

  58982 total
  29047 dynamic IP
  23305 bad or no reverse DNS
   4801 class bl-cbl
    316 qsnews.net
    314 class bl-dsbl
    271 class bl-njabl
    180 class bl-pbl
    176 class bl-sbl
     62 216.75.6.0/24
     37 acceleratebiz.com
     33 class bl-sdul

The funny /24 is 'IBS Hosting Corp' aka web1host.net of Tampa Florida, and we have seen them before. The highest source of SBL rejections this week was 216.244.151.246 with 87 rejections, but its SBL listing has been removed, so the highest source still in the SBL is SBL55450 (24 rejections, a spam source), followed by SBL54907 (23 rejections, a virus spam source).

(Some trawling in news.admin.net-abuse.sightings suggests that we do not want to talk to 216.244.151.246 aka ebizlatin.com even if the SBL no longer lists them, so I have added them to our local blocklist.)

Four of the top 30 most rejected IP addresses were rejected 100 times or more this week, with the leader being 216.213.172.11 (237 rejections for being a qsnews.net machine). Nine of the top 30 are currently in the CBL, seven are currently in bl.spamcop.net, seven are in the PBL, and a grand total of fourteen of the 30 are in zen.spamhaus.org.

(Locally, 14 were rejected for missing or bad reverse DNS, 9 for being dynamic IPs, 3 for being people we don't want to talk to, 2 for being in the DSBL, one for being in the SBL, and one for being in the NJABL.)

This week, Hotmail had:

• 2 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 48 messages sent to our spamtraps.
• 6 messages refused because their sender addresses had already hit our spamtraps.
• 9 messages refused due to their origin IP address (three for being in the CBL, two for being in SBL52368 two for being from Burkina Faso, one for being from SAIX, and one for being in SBL32972, a listing from November 2005).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1557	118	1232	128
Bad bounces	185	141	312	177

The leader sources of bad HELOs this week are 206.51.227.134 (154 rejections), 66.6.97.210 (104 rejections), and 71.29.93.35 (77 rejections). Only one of them used a clearly bogus HELO name; the others just picked unresolvable ones.

Bad bounces were sent to 178 different bad usernames this week; the most popular position is a seven-way tie between indra, JeffereyMoore GradyConklin, GoldieSimon, ElinorPowers, DennisSalazar, and DariusEsparza, each of which had two attempts. This also neatly shows which sort of bad usernames were the most popular overall, although we saw a few odd ones like har-miy. No particular source of bad bounces stands out; contributions came from what are by now all of the usual suspects.

Weekly spam summary on June 9th, 2007

This week, we:

• got 13,047 messages from 274 different IP addresses.
• handled 19,786 sessions from 1,500 different IP addresses.
• received 255,420 connections from at least 71,636 different IP addresses.
• hit a highwater of 12 connections being checked at once.

The volume is down compared to last week and probably down overall, although not by much. The count of different IP addresses is up a little bit, for what that's worth.

Day	Connections	different IPs
Sunday	77,507	+10,880
Monday	31,169	+11,486
Tuesday	31,949	+11,151
Wednesday	29,512	+10,089
Thursday	29,405	+9,629
Friday	33,665	+11,087
Saturday	22,213	+7,314

The per day breakdown shows the influence of 213.223.200.15 again; after the Sunday morning reboot that flushed the kernel block table it promptly started hitting us again. It is now in our permanent blocklist, so that won't happen again.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          40939   2127K
213.4.149.11          24524   1274K
205.152.59.0/24       23960   1086K bellsouth.net
68.230.240.0/23       23875   1159K cox.net
68.168.78.0/24        14588    700K adelphia.net
204.202.23.184        13339    658K
213.29.7.0/24          8660    518K centrum.cz
204.200.195.201        7180    354K
67.94.63.178           4287    200K
212.216.176.0/24       3431    165K tin.it

The volume here is significantly up compared to last week, led by some extremely prolific sources.

• 213.4.149.11 and 213.4.149.12 are both terra.es machines with bad HELO names; the former most recently appeared back in December 2005, while the latter returns from last week.
• 204.202.23.184 kept trying to send phish spam email, and we saw it before in February when it was trying the same thing.
• 204.200.195.201 is another place that kept trying to send phish spam.
• 67.94.63.178 kept trying with a bad HELO.

Connection time rejection stats:

  55161 total
  28121 dynamic IP
  20708 bad or no reverse DNS
   4676 class bl-cbl
    424 qsnews.net
    230 class bl-pbl
    188 class bl-dsbl
    119 class bl-njabl
    110 acceleratebiz.com
     79 class bl-sbl
     73 class bl-sdul

The highest source of SBL rejections this week was SBL53722 with 37 rejections. This is an April 19th listing for cavtel.net's outgoing webmail server, listed due to it being used for advance fee fraud spam.

Three of the top 30 most rejected IP addresses were rejected 100 times or more this week; in the lead is 200.121.167.142 with 347 rejections, blocked for bad reverse DNS and also listed in the CBL. Closely following it is 216.213.172.8 with 343 rejections, which a qsnews.net machine. Twelve of the top 30 are currently in the CBL, fifteen are currently in bl.spamcop.net, thirteen are in the PBL, and a grand total of twenty one are in zen.spamhaus.org.

(Locally, 17 were rejected for being dynamic IPs, 10 for having bad or missing reverse DNS, 2 for being qsnews.net, and 1 for being in the DSBL.)

This week, Hotmail had:

• 3 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 38 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one in the CBL and one from Cote d'Ivoire).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1232	128	1369	142
Bad bounces	312	177	349	187

This is an improvement over last week, but only a marginal one. The leading source of bad HELOs this week was 67.92.184.162 with 105 rejections for a HELO name ending in .local. (I see a lot of bad HELOs ending in .local for some reason.)

Bad bounces were sent to 237 different bad usernames this week, with the most popular by far being EllisHyatt (47 attempts). A surprising number of usernames like that were hit twice this week; while that username pattern continues to be the most popular, various all lower case usernames made a reasonably strong showing. I suspect that they are valid usernames somewhere, because they're all over the map in what form they use, ranging from wada_katsu to mitsu-com to mottetqdd and whitesnows.

Just like last week, the single largest point source of bad bounces was w3.org. Various other places, including ezweb.ne.jp, Verizon, and Earthlink threw in decent contributions. The remaining bad bounces came from all over.

Weekly spam summary on June 2nd, 2007

This week, we:

• got 10,553 messages from 239 different IP addresses.
• handled 19,451 sessions from 1,629 different IP addresses.
• received 430,428 connections from at least 69,677 different IP addresses.
• hit a highwater of 9 connections being checked at once.

The connection volume is way up compared to last week; however, I believe that it is mostly because of one machine, 213.223.200.15, that reacted exceptionally badly to our greylisting (to the point of retrying multiple times a second). Once I worked out what was going on and blocked it, things quieted right down. You can clearly see the effects in the daily stats:

Day	Connections	different IPs
Sunday	17,636	+9,702
Monday	33,471	+12,667
Tuesday	184,927	+9,388
Wednesday	99,137	+9,231
Thursday	33,946	+9,883
Friday	36,539	+10,456
Saturday	24,772	+8,350

The machine showed up at about 3pm Tuesday and got blocked Wednesday morning; ironically it seems to react much better to kernel level blocks and has barely sent us anything since then.

The volume may be up even apart from that, since it looks like daily volume would have been over 30,000 every weekday even without that. But it's hard to be sure.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          34323   1784K
205.152.59.0/24       21531    976K bellsouth.net
68.168.78.0/24        16420    788K adelphia.net
68.230.240.0/23       13444    653K cox.net
213.29.7.0/24         10937    655K centrum.cz
70.54.178.101          5560    267K
212.31.1.29            4665    224K
206.53.0.222           4488    210K
212.175.13.129         3506    210K
72.244.103.211         3495    163K

The overall volume is down slightly compared to last week; however, the advance fee fraud spam webmail places are back to dominating the top of the list.

• 213.4.149.12 and 212.175.13.129 return from last week.
• 70.54.178.101 kept trying to send mail with an origin address that had already tripped our spamtraps.
• 212.31.1.29 and 206.53.0.222 kept trying with bad HELOs.
• 72.244.103.211 is something we consider a dynamic or generic IP address.

Connection time rejection stats:

  58817 total
  29106 dynamic IP
  23124 bad or no reverse DNS
   5175 class bl-cbl
    343 class bl-pbl
    156 qsnews.net
     97 acceleratebiz.com
     88 dartmail.net
     79 class bl-dsbl
     71 class bl-sdul
     65 class bl-sbl
     27 icpbounce.com
     18 class bl-njabl

The highest source of SBL rejections this week was SBL30718 with 14 rejections; to my complete lack of surprise, it is an advance fee fraud spam /24 listing from September 4th 2005. Next up is last week's leading source, SBL51583 with 10 rejections.

Only one of the top 30 most rejected IP addresses was rejected 100 times or more this week: 201.41.202.120, blocked for bad or missing reverse DNS, was rejected 142 times. Sixteen of the top 30 are currently in the CBL, seven are currently in bl.spamcop.net, fourteen are in the PBL, and a grand total of 21 are in zen.spamhaus.org.

(Locally, 16 were rejected for bad or missing reverse DNS, 12 for being dynamic IPs, and 2 because we don't want to talk to them.)

This week, Hotmail had:

• 5 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 42 messages sent to our spamtraps.
• 1 message refused because its sender addresses had already hit our spamtraps.
• 7 messages refused due to their origin IP address (3 in the CBL, and four in the SBL in SBL34924 (listed November 2005), SBL49340, SBL51849, and SBL54927).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1369	142	624	92
Bad bounces	349	187	190	94

The leading sources of bad HELOs this week were 66.29.225.52 (95 tries), 74.62.83.253 (76 tries), 64.1.186.5 (72 tries), and 81.118.66.20 (71 tries). Two of these tried HELO names that were just impossible; the other two just tried names that were unresolvable.

Bad bounces were sent to 257 different bad usernames this week, with the most popular by far being AmaliaDowdy (61 attempts). This username pattern was also the dominant form of bad username, with a few attempts to throw in old users, hyphen-separated names like lucky-monkey, and some random sequences. To my surprise, w3.org appears high in the sources list this week, and all the usual suspects from last week are still putting in appearances.

(Of course, these days some of this may be misguided address verification systems. Every now and then I think about clever ways to cause them pain, like deferring refusals until after DATA.)