Wandering Thoughts archives

Weekly spam summary on July 28th, 2007

This week, we:

• got 10,691 messages from 231 different IP addresses.
• handled 17,807 sessions from 1,456 different IP addresses.
• received 301,407 connections from at least 76,444 different IP addresses.
• hit a highwater of 11 connections being checked at once.

Connection volume is up slightly from last week, but at this point 10,000 connections a week more or less is probably just random noise.

Day	Connections	different IPs
Sunday	35,837	+11,632
Monday	46,617	+11,770
Tuesday	52,564	+12,840
Wednesday	52,049	+10,733
Thursday	37,866	+8,904
Friday	41,885	+10,889
Saturday	34,589	+9,676

Thursday is down compared to last week, but everything else makes up for it.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       39187   1903K cox.net
213.4.149.12          32525   1691K terra.es
205.152.59.0/24       19070    865K bellsouth.net
68.167.174.247        13732    642K
213.29.7.0/24          9289    557K centrum.cz
213.228.185.13         8146    489K
68.168.78.0/24         6299    302K adelphia.net
70.22.148.61           5496    257K
190.11.14.26           3595    173K
70.242.189.33          3441    165K

Overall volume is down compared to last week.

• 68.167.174.247 and 70.242.189.33 are things we consider dynamic IP addresses.
• 213.228.185.13 is in the DUL (and has a very generic hostname, and is currently in bl.spamcop.net).
• 70.22.148.61 kept trying with a bad HELO.
• 190.11.14.26 is a LACNIC IP address with bad reverse DNS.

This is the first week in a while where none of the top ten individual IP addresses are ones we've seen before (apart from the perennial 213.4.149.12).

Connection time rejection stats:

 123178 total
  58011 bad or no reverse DNS
  55387 dynamic IP
   6386 class bl-cbl
    477 qsnews.net
    335 class bl-pbl
    203 class bl-dsbl
    118 class bl-sbl
    116 class bl-sdul
    113 dartmail.net
     42 class bl-njabl
     34 acceleratebiz.com

There's quite a jump in the 'dynamic IP' category this week; it doesn't seem to have come from any particular ISP or the like, so we seem to have been getting hit more in general.

The highest source of SBL rejections this week is the same as last week: SBL48694, with 31 rejections this week. Following them is SBL56968 (13 rejections), SBL43966 (12 rejections), SBL22762 (11 rejections), and SBL57028 (10 rejections).

An eye-opening twenty two of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 122.161.14.99 (with 2,498 rejections), followed by 195.238.6.228 (1,266 rejections), 122.161.64.143 (1,068 rejections), 122.254.189.225 (776 rejections), and 122.161.32.205 (536 rejections).

Fifteen of the top 30 are currently in the CBL, eight are currently in bl.spamcop.net, twenty four are in the PBL, and a grand total of twenty five are in zen.spamhaus.org.

(Locally, 18 were rejected for bad or missing reverse DNS, 10 for being dynamic IPs, one for being qsnews.net, and one for being someone we don't want to talk to.)

This week, Hotmail had:

• no messages accepted.
• 3 messages rejected because they came from non-Hotmail email addresses.
• 47 messages sent to our spamtraps.
• 1 message refused because its sender address had already hit our spamtraps.
• 3 messages refused due to their origin IP address (one from saix.net, one from the Cote d'Ivoire, and one from Burkina Faso).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	944	121	1120	113
Bad bounces	229	94	350	210

The leading source of bad HELO attempts this week is 202.155.205.242 (109 attempts), followed by 207.114.206.180 (72 attempts). For once both of these were trying with plausible looking hostnames, instead of things ending in .local.

Bad bounces were sent to 200 different bad usernames this week, with the most popular one being mayumi0624 with 4 attempts. Bad usernames like TomasPryor seem to be falling out of favour, being supplanted by things like alenn187. Odd bad usernames of the week: 69-69-69, 0bp38c4r1fr1f3h, 35671615, and you-freak. The dominant bad bounce source this week seems to be Japan and especially ezweb.ne.jp, just like last week.

Weekly spam summary on July 21st, 2007

This week, we:

• got 12,549 messages from 259 different IP addresses.
• handled 19,129 sessions from 1,520 different IP addresses.
• received 291,606 connections from at least 79,247 different IP addresses.
• hit a highwater of 8 connections being checked at once.

Connection volume is up pretty noticeably from last week. Connection volume fluctuated over the map over the week:

Day	Connections	different IPs
Sunday	31,555	+10,497
Monday	42,627	+13,490
Tuesday	51,031	+13,379
Wednesday	48,042	+12,291
Thursday	47,331	+11,707
Friday	39,278	+9,727
Saturday	31,742	+8,156

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          43855   2281K terra.es
68.230.240.0/23       39764   1931K cox.net
195.238.6.226         22971   1103K
205.152.59.0/24       21039    954K bellsouth.net
213.29.7.0/24         18151   1089K centrum.cz
196.28.61.0/24        10680    513K
212.175.13.129         9065    544K
202.161.93.77          8000    439K
74.128.0.0/24          3162    147K insightbb.com
216.213.172.11         3129    172K

Volume is up from last week, although not hugely, and it is more unevenly distributed; the top is higher and the bottom is lower. We have insightbb.com blocked as a source of webmail based advance fee fraud, like the other /24s on the list.

• 195.238.6.226 is a skynet.be/belgacom.be machine; we haven't talked to them for some time for various reasons.
• 212.175.13.129 returns from earlier this month and several times before, still trying a bad HELO.
• 202.161.93.77 is an APNIC IP address with bad reverse DNS.
• 216.213.172.11 is still a qsnews.net machine, just as it was last week.

I continue to be impressed with how qsnews.net is not on various DNS blocklists; I have no idea how they manage it.

Connection time rejection stats:

 115523 total
  68833 bad or no reverse DNS
  38937 dynamic IP
   6058 class bl-cbl
    263 class bl-pbl
    192 qsnews.net
     93 class bl-sbl
     75 class bl-dsbl
     72 reliablehosting.com
     24 acceleratebiz.com
      9 class bl-njabl
      2 class bl-sdul

It is hard to contain myself about the amazing coincidence that nine different acceleratebiz.com IPs, each with a different domain name, all tried to send us email this week (sometimes multiple times). I'm sure it's also a coincidence that most of them appear to have the same do-nothing website, too.

The highest source of SBL rejections this week was SBL48694 (the artists-networkinfo.com known spammers, listed 24 June) with 35 rejections. Second place goes to SBL53722 (cavtel.net, advance fee fraud spam, listed 19 April) with 15 rejections.

Ten of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 196.218.140.174 (652 rejections), with (dis)honorable mentions for 217.54.2.210 (330 rejections), and 220.192.171.108 (297 rejections). All got rejected for having bad or missing reverse DNS.

Sixteen of the top 30 are currently in the CBL, two are currently in bl.spamcop.net, thirteen are in the PBL, and a grand total of twenty three are in zen.spamhaus.org.

(Locally, 24 were rejected for bad or missing reverse DNS, four for being people we don't want to talk to, and two for being classified as dynamic IPs.)

This week Hotmail had:

• 6 messages accepted; I'm reasonably sure that at least three of them were spam.
• no messages rejected because they came from non-Hotmail email addresses.
• 39 messages sent to our spamtraps.
• 1 message refused because its sender address had already hit our spamtraps.
• 4 messages refused due to their origin IP address (one in the CBL, two from the Cote d'Ivoire, and one from a South African wireless ISP).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1120	113	705	95
Bad bounces	350	210	219	94

This week is distinctly worse than last week. The leading sources of bad HELO attempts this week were 70.136.191.16 (118 attempts) and 216.23.126.213 (105 attempts); both were using names that ended in .local.

Bad bounces were sent to 318 different bad usernames this week, with the most popular one being a tie between charron and LucasLaird with 4 attempts each; last week's qp3902 made one appearance. I am not going to try to assess what bad user name pattern was the most prevalent; interesting bad usernames included the minimalistic s, the all-digits 405, the interesting mayumi-totoro and kinako-cat, and the peculiar 0ue38815349020h. A number were sent to ex-users.

The dominant bad bounce source this week seems to be Japan, especially ezweb.ne.jp; it is awfully tempting to block them entirely, since they haven't sent us any actual email in at least the past month and they keep doing this. But if I went down that road, there are any number of ISPs that would make the list.

Weekly spam summary on July 14th, 2007

Our SMTP frontend died (twice) around 8am on Friday morning, so some of the stats for this are partial stats and some of them are missing about two hours of data. That said, this week we:

• got 10,583 messages from 249 different IP addresses.
• handled 17,948 sessions from 1,258 different IP addresses.
• received 257,246 connections from over 50,000 different IP addresses.
• hit a highwater of 7 connections being checked at once.

This is pretty similar to last week. I've managed to reconstruct more or less the per day information:

Day	Connections	different IPs
Sunday	39,600	+11,157
Monday	34,312	+9,774
Tuesday	37,764	+10,198
Wednesday	44,447	+10,857
Thursday	31,044	+8,086
Friday	41,368	+11,090
Saturday	28,711	+8,448

(The one caution is that the 'different IPs' information is not reliable for Friday and Saturday, since it effectively starts from scratch.)

I continue to have no idea why spammers like Wednesday, but clearly they do.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       35913   1744K cox.net
213.4.149.12          27599   1435K terra.es
205.152.59.0/24       19880    901K bellsouth.net
24.155.195.124        18546    890K
213.29.7.0/24         11509    691K centrum.cz
68.167.174.246        10155    477K
76.65.201.70           6896    317K
68.168.78.0/24         5478    263K adelphia.net
206.221.36.51          4443    204K
69.94.123.79           4195    252K

Volume is down from last week.

• 213.4.149.12 returns from last week and many previous appearances, and I'm probably going to stop explicitly noting it since it doesn't seem like it's going to go away any time soon.
• 24.155.195.124 is on the CBL.
• 68.167.174.246 is a covad.net address that we consider dynamic, and returns from the end of June.
• 76.65.201.70, 206.221.36.51, and 69.94.123.79 all kept trying with bad HELOs.

Connection time rejection stats:

 104296 total
  68773 bad or no reverse DNS
  29517 dynamic IP
   4092 class bl-cbl
    492 qsnews.net
    246 class bl-pbl
    103 class bl-dsbl
     80 class bl-sbl
     23 class bl-njabl
      4 class bl-sdul

The highest source of SBL rejections this week was a tie between SBL48694 (known spam source) and SBL44995 (hinet.net mail hosts for the ROKSO listed 'Mei Lung Handicrafts / Chang Wen-Sheng') with thirteen each. Following them is SBL56453 (0catch.com, listed as a repeat advance fee fraud spam source) with seven.

Twelve of the top 30 most rejected IP addresses were rejected 100 times or more this week. Rather than write them out, I'm going to make a table:

2567	58.186.29.226
752	58.69.147.80
484	121.97.172.73
419	200.69.153.217
414	216.213.172.11
368	61.252.110.3
282	86.76.43.248
263	125.234.232.88
194	41.250.128.243
126	85.107.94.89
124	83.214.74.133
102	59.95.207.131

With the exception of 216.213.172.11, all of these were rejected for bad or missing reverse DNS, although almost all are in the CBL and/or the PBL. In general, fifteen of the top 30 are currently in the CBL, four are currently in bl.spamcop.net, seventeen are currently in the PBL, and a grand total of 25 are in zen.spamhaus.org.

(Locally, 27 were rejected for bad or missing reverse DNS, two for being qsnews.net, and one for being a dynamic IP address.)

This week, Hotmail had:

• 6 messages accepted, and I am pretty sure that most of them were spam.
• no messages rejected because they came from non-Hotmail email addresses.
• 47 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 6 messages refused due to their origin IP address (two in the CBL, two in SBL52368, one from a United Arab Emirates satellite ISP provider, and one from the Cote d'Ivoire).

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	705	95	825	99
Bad bounces	219	94	222	149

There is no really leading source of bad HELOs this week, by my standards (I draw the line somewhere around 50 to 75 rejections; no single one got over 45 this week).

Bad bounces were sent to 90 different bad usernames this week, with the most popular one being qp3902 with 82 attempts (the same as last week); the second most popular was actually an internal error, so I'm not going to list it (without it, we actually only had 181 bad bounces this week). The NoemiDotson bad username pattern is still popular, but it's joined by things like mikoponpon, d21terrano, and a number of ex-users.

The biggest single source of bad bounces was 194.242.226.91, with other contributions from all over (including some hinet.net machines; clearly the SBL hasn't listed all of their mail machines yet).

Weekly spam summary on July 7th, 2007

This week, we:

• got 9,123 messages from 254 different IP addresses.
• handled 17,076 sessions from 1,364 different IP addresses.
• received 264,864 connections from at least 70,143 different IP addresses.
• hit a highwater of 12 connections being checked at once.

Volume has dropped compared to last week, including total messages, which surprises me a bit. As we can see in the per-day table, spammers definitely didn't take the 4th of July off:

Day	Connections	different IPs
Sunday	32,966	+11,408
Monday	36,064	+10,472
Tuesday	37,471	+10,684
Wednesday	39,405	+8,540
Thursday	35,548	+8,294
Friday	44,618	+11,289
Saturday	38,792	+9,456

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          45750   2379K
68.230.240.0/23       32348   1571K cox.net
205.152.59.0/24       23367   1059K bellsouth.net
206.123.109.0/27      23141   1272K otcpicknews.com
72.249.13.81          14404    790K
212.175.13.129        11458    687K
203.204.118.61        10494    630K
68.168.78.0/24         9691    465K adelphia.net
213.4.149.68           8924    518K
58.186.248.18          7720    371K

By contrast, volume here is up significantly from last week, with the otcpicknews.com people still valiantly hammering away despite getting nowhere.

• 213.4.149.12 returns from last week and many weeks before.
• 72.249.13.81 is beaconresearchnews.com and returns from two weeks ago.
• 212.175.13.129 kept trying a bad HELO, which we've seen it do before.
• 203.204.118.61 is SBL49970, and we saw it before two weeks ago.
• 213.4.149.68 kept trying with a bad HELO.
• 58.186.248.18 is a Vietnamese IP address with no reverse DNS.

Connection time rejection stats:

 108292 total
  74766 bad or no reverse DNS
  26291 dynamic IP
   5170 class bl-cbl
    408 class bl-pbl
    184 qsnews.net
     99 class bl-dsbl
     92 class bl-sbl
     53 class bl-njabl
     44 class bl-sdul
     42 beaconresearchnews.com

Volume is up significantly from last week, with almost all of it coming from bad reverse DNS issues; the volume jump is even more striking if you look at this compared to two weeks ago.

The highest source of SBL rejections this week was SBL56296 (a compromised PC used for spam) with 17 rejections. After that was SBL53722 (a cavtel.net webmail machine, advance fee fraud) with 15 rejections and SBL49970 with 14 rejections.

Twelve of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 222.123.154.220 (412 rejections), followed by 121.46.216.126 (391 rejections), 58.186.248.18 (307 rejections), and 87.217.143.79 (224 rejections, on the CBL). All but the last were rejected for bad or missing reverse DNS.

Sixteen of the top 30 are currently in the CBL, three are currently in bl.spamcop.net, twelve are in the PBL, and a grand total of twenty are in zen.spamhaus.org.

(Locally, 20 were rejected for bad or missing reverse DNS, 7 for being dynamic IP addresses, two for being people we don't want to talk to, and one for being in the CBL.)

This week, Hotmail managed:

• 3 messages accepted.
• 1 message rejected because it came from a non-Hotmail email address (a msn.com address, as it happens).
• 50 messages sent to our spamtraps.
• 3 messages refused because their sender addresses had already hit our spamtraps.
• 3 messages refused due to their origin IP address (one in the CBL and two from Burkina Faso).

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	825	99	4120	240
Bad bounces	222	149	688	527

That's certainly a nice improvement from last week. The leading source of bad HELOs this week was 67.52.59.170 with 86 attempts.

Bad bounces were sent to 154 different bad usernames this week, with the most popular one being qp3902 with 32 attempts. The most popular pattern for bad usernames is probably things like RandyGallagher, but we also saw bounce attempts to various others, including things like narunaru-gogo, jmhn, and the ever-popular noreply, along with some ex-users. I will call ezweb.ne.jp the most popular source of bounces, although it's hard to be completely sure; some people send bounces to us from only a few IPs, while others smear them over big clusters of machines.