Wandering Thoughts archives

Weekly spam summary on August 25th, 2007

This week, we:

• got 10,965 messages from 236 different IP addresses.
• handled 18,098 sessions from 1,724 different IP addresses.
• received 376,478 connections from at least 114,062 different IP addresses.
• hit a highwater of 18 connections being checked at once.

Things are down a bit from last week, but we are still being hammered by spammers, mostly using compromised zombies. The per day table shows the usual fluctuations, and I may have to take back what I said last week about spammers taking the weekend off:

Day	Connections	different IPs
Sunday	60,834	+21,210
Monday	54,929	+17,802
Tuesday	66,120	+18,975
Wednesday	46,149	+12,105
Thursday	51,054	+13,753
Friday	52,125	+16,444
Saturday	45,267	+13,773

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          29344   1526K terra.es
206.123.109.0/27      26590   1465K otcpicknews.com
68.230.240.0/23       23006   1117K cox.net
62.75.224.83          16174    970K
85.114.132.50         13962    838K
213.29.7.0/24         13270    796K centrum.cz
72.249.13.81          12254    675K
213.4.149.241          9862    526K
68.168.78.0/24         7506    360K adelphia.net
209.225.8.0/24         5940    332K charter.net

Total volume is up from last week, but that may be because I got aggressive about throwing /24s of advance fee fraud webmail spam sources into the kernel blocks instead of blocking each outbound SMTP gateway one by one. On the other hand, in the top 10 that only explains charter.net; all the other subnets are perennial regulars.

• 62.75.224.83 is in a domain that has sent us (too much) phish spam.
• 85.114.132.50 returns from last week, still in SBL52705 and all.
• 72.249.13.81 is beaconreasearchnews.com and returns from July.
• 213.4.149.241 has bad reverse DNS.

Connection time rejection stats:

 177280 total
  91953 dynamic IP
  73454 bad or no reverse DNS
   8910 class bl-cbl
    516 qsnews.net
    378 class bl-pbl
    304 class bl-sbl
    293 class bl-sdul
    253 class bl-dsbl
    128 dartmail.net
     38 class bl-njabl
     33 officepubs.com

The drastic drop in PBL rejections may partly be because we lost access to the Spamhaus DNSBLs for a few days this week (and may lose access to them for longer, depending on how things shake out). I'd say the same thing about the SBL, but it is actually up somewhat this week.

The highest source of SBL rejections this week is SBL57946 with 263 rejections; Spamhaus lists this as a /28 of 'spam sources', with the record created August 18th. The next up is SBL57804, returning from last week but with only 9 rejections this time around; this may partly be because we have more or less explicit blocks for that network now.

Eighteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 88.234.24.235 (1,940 rejections), followed by 200.28.226.14 (1,215 rejections) and 85.96.134.232 (565 rejections). Thirteen of the top 30 are currently in the CBL, twelve are currently in bl.spamcop.net, twenty six are in the PBL, and a grand total of twenty nine are in zen.spamhaus.org; the one IP address out of the top 30 that is not in zen.spamhaus.org is a qsnews.net machine.

(Locally, 15 were rejected for bad or missing reverse DNS, 13 for being dynamic IP addresses, 1 for being qsnews.net, and 1 for being in the CBL.)

This week, Hotmail had:

• 2 messages accepted.
• 1 messages rejected because it came from a non-Hotmail email address, in this case a msn.com address.
• 33 messages sent to our spamtraps.
• 3 messages refused because their sender addresses had already hit our spamtraps.
• 2 messages refused due to their origin IP address (one from saix.net, one from the Cote d'Ivoire).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	949	168	1782	232
Bad bounces	162	121	339	268

There was no particularly leading source of bad HELOs this week; the highest were 207.245.38.236 (58 attempts) and 203.86.238.105 (51 attempts), both with .local names.

Bad bounces were sent to 152 different bad usernames this week, with the most popular one being SHOUGEE with 7 attempts. Typical bad usernames and patterns included xxqsfclq, JarvisSloan, Eloy, mj, and sdasa285; I'm not going to try to pick a winner among the patterns this week. The most disheartening source of bad username bounces has to be two from mail-abuse.org.

Recognizing phish spam from exceedingly RFC compliant mailers

Here is how to tell if you were getting phish spam from a compromised server with an exceedingly RFC complaint mailers: you were getting email from addresses like service@park.funnel.revenuedirect.com.akadns.net.

What was going on is that paypal.us was a CNAME to that hostname. (I say was because paypal.us has since been changed to an A record and an MX to localhost., possibly because they got tired of being forged on phish spam.)

According to the RFCs, when a mailer encounters a domain or host name that is a CNAME, it is supposed to not merely follow the CNAME but rewrite the address itself to use the target of the CNAME instead of the CNAME, including when the CNAME is in the envelope origin address. However, few mailers are this picky and RFC compliant; most will not rewrite a MAIL FROM address to canonicalize a CNAME.

So when a phish spammer compromises a server with a normal mailer and sends out their spam with an envelope address of 'service@paypal.us', it shows up at your mailer (and possibly in your inbox) with that MAIL FROM. However, when they compromise a server with a picky mailer and do the same thing, their spam's origin address gets rewritten on the way through and you get the weird origin addresses.

Sidebar: who isn't that picky and who is

From some quick poking, it seems that neither postfix, qmail nor Microsoft Exchange's SMTP server is quite that picky. The latter case is amusing, because Exchange is one of the few mailers that insists that lines in the SMTP conversation be terminated with both CR and LF; if you send bare LFs, it ignores you.

Both ZMailer and (some) modern versions of Sendmail are that picky.

Weekly spam summary on August 18th, 2007

This week, we:

• got 12,100 messages from 261 different IP addresses.
• handled 22,629 sessions from 2,180 different IP addresses.
• received 434,144 connections from at least 121,837 different IP addresses.
• hit a highwater of 31 connections being checked at once.

So much for any chance that volume would go down compared to last week. I believe that the higher session volume is at least partly because of compromised spam zombies getting past my relatively weak greylisting precautions.

Day	Connections	different IPs
Sunday	40,431	+15,128
Monday	65,293	+17,229
Tuesday	77,288	+17,074
Wednesday	70,746	+20,302
Thursday	61,045	+17,116
Friday	69,455	+18,689
Saturday	49,886	+16,299

The peak day may be migrating back to Wednesday, but really, all that seems reasonably apparent is that some spammers take weekends off.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          25371   1319K terra.es
68.230.240.0/23       19247    935K cox.net
213.29.7.0/24         17643   1059K centrum.cz
68.168.78.0/24        11520    553K adelphia.net
213.4.149.68           8350    484K
195.238.6.228          7739    371K
61.128.0.0/10          6192    342K China
85.114.132.50          5932    356K
62.94.0.34             4727    212K
200.63.215.74          4568    219K

Volume here is down from last week, and not as many of the usual open webmail suspects have shown up.

• 213.4.149.68 kept trying with a bad HELO; we saw it before in early July.
• 195.238.6.228 returns from late July.
• 85.114.132.50 is SBL52705, although we don't talk to fastwebserver.de anyways.
• 62.94.0.34 is another place we don't talk to because of open webmail; it previously appeared all the way back in December of 2006.
• 200.63.215.74 has bad reverse DNS.

Connection time rejection stats:

 203098 total
  96920 bad or no reverse DNS
  91776 dynamic IP
  10786 class bl-cbl
   1121 class bl-pbl
    264 class bl-sdul
    264 class bl-dsbl
    213 class bl-sbl
    154 dartmail.net
     48 acceleratebiz.com
     46 officepubs.com
     45 67.98.250.0/24
     19 class bl-njabl

This is quite a volume increase over last week, almost all of it in the top four reasons. The highest source of SBL rejections this week is SBL57804, a /18 listed as a 'spam source range', with 66 rejections. Following it is SBL49824 )a /27 listed 27 January) with 21 rejections, and SBL52705 (85.114.132.50) with 19 rejections, and SBL55920 (another advance fee fraud spam source) with 17 rejections.

Eighteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 200.63.215.74 (2,259 rejections), followed by 201.9.243.8 (644 rejections) and 190.65.82.107 (572 rejections). Seventeen of the top 30 are currently in the CBL, seven are currently in bl.spamcop.net, twenty are in the PBL, and a grand total of 26 are in zen.spamhaus.org.

(Locally, 19 were rejected for bad or missing reverse DNS, 10 for being dynamic IP addresses, and one for being in the CBL.)

This week, Hotmail had:

• 2 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 26 messages sent to our spamtraps.
• 1 messages refused because its sender address had already hit our spamtraps.
• 4 messages refused due to their origin IP address (two in the CBL, one from Ghana, and one from the Cote d'Ivoire).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1782	232	1874	176
Bad bounces	339	268	692	487

The leading source of bad HELO attempts this week is 212.15.28.2 (87 attempts), followed by 67.113.162.150 and 64.80.183.134 at 67 attempts each.

Bad bounces were sent to 297 different bad usernames this week, with the most popular one being RalphPlatt with 7 attempts. That bad username pattern staged a resurgence this week, although it is still fighting it out with various other ones like robachan and p886. Interestingly, I am now seeing some names like kostaqHovern with a capital shoved in the middle of the username.

Weekly spam summary on August 11th, 2007

This week, we:

• got 11,040 messages from 245 different IP addresses.
• handled 20,069 sessions from 1,915 different IP addresses.
• received 344,743 connections from at least 97,338 different IP addresses.
• hit a highwater of 42 connections being checked at once.

Connection volume is down from last week. This week the volume peak was clearly on Monday instead of Wednesday:

Day	Connections	different IPs
Sunday	47,387	+14,319
Monday	62,687	+17,866
Tuesday	43,800	+12,720
Wednesday	40,725	+11,191
Thursday	56,906	+16,513
Friday	53,297	+14,396
Saturday	39,941	+10,333

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          47178   2453K terra.es
205.152.59.0/24       30310   1374K bellsouth.net
213.29.7.0/24         24588   1475K centrum.cz
68.230.240.0/23       18445    896K cox.net
204.202.242.0/24       8250    429K rapidsite.net
70.54.178.101          8181    393K
208.11.149.93          5832    280K
66.106.101.58          4611    235K
68.168.78.0/24         4545    218K adelphia.net
68.167.174.247         4109    192K

Overall volume is up slightly from last week. The number of individual IPs that are making the top ten remains low; I suspect that this is going to be the pattern, since I doubt the advance fee fraud spammers exploiting all of the various ISPs doing too-open webmail are going to stop trying to email us any time soon.

• 70.54.178.101 kept trying with an origin address that tripped our spamtraps the last time they tried.
• 208.11.149.93 is on the DSBL; last week it just made the top connection time stats, but it's moved up this week.
• 66.106.101.58 also returns from last week, still in SBL57028.
• 68.167.174.247 returns from late July and is still something we consider a dynamic IP.

Connection time rejection stats:

 135251 total
  63818 bad or no reverse DNS
  61561 dynamic IP
   7550 class bl-cbl
    478 class bl-pbl
    314 class bl-dsbl
    218 class bl-sbl
    189 premia networks
    184 qsnews.net
    133 class bl-sdul
     58 acceleratebiz.com
     26 class bl-njabl

Here 'premia networks' is 64.235.54.0/24 and 64.235.57.0/24, yet another place that lights up our spamtraps in a particularly telling, broad distributed, and aggressive manner. Perhaps there is an innocent explanation, but in the mean time we aren't going to be talking to them.

The highest source of SBL rejections this week is the same as last week: SBL57113 aka 'speed tech inc', with 117 rejections. Following it is SBL48694 with 23 rejections, also returning from last week, and SBL57435 aka 'fisksox.com et al' with 10 rejections.

Sixteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 210.56.96.91 with a jaw dropping 6,877 rejections, followed by 61.17.143.183 (1,882 rejections) and 201.230.180.203 (1,230 rejections); everyone else has less then 500.

Fifteen of the top 30 are currently in the CBL, eight are currently in bl.spamcop.net, fourteen are in the PBL, and a grand total of nineteen are currently in zen.spamhaus.org.

(Locally, 22 were rejected for bad or missing reverse DNS, 4 for being dynamic addresses, two for being people we don't want to talk to, one for being in the DSBL, and one for being in the CBL.)

This week, Hotmail had:

• 3 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 46 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 4 messages refused due to their origin IP address (two in the CBL, one in SBL44539, and one from the Cote d'Ivoire).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1874	176	625	126
Bad bounces	692	487	82	51

The leading source of bad HELO attempts this week is 67.50.159.134 (92 attempts with a .local name), followed by 67.79.168.3 (81 attempts) and 62.225.190.98 (58 attempts). I continue to grind my teeth at the popularity of throwing .local around on the general Internet.

Bad bounces were sent to 680 different bad usernames this week, with the most popular one being a many-way tie at two attempts each between the bad usernames oretachi-rowringzoku, oldeng, mytool, masaru-12-25, an ex-user, ky99, hustler-hildreth, dfgdgdgiyrww, bekind, Ned, and Dankertybpd. That pretty much gives the flavour of the bad usernames this week right there, with a few like GordyBaze thrown in for good measure.

Weekly spam summary on August 4th, 2007

This week, we:

• got 111,59 messages from 243 different IP addresses.
• handled 18,480 sessions from 1,401 different IP addresses.
• received 393,665 connections from at least 102,514 different IP addresses.
• hit a highwater of 34 connections being checked at once.

Volume is up quite a lot from last week; also up is how many different IP addresses are trying to send us email. My instant reaction to this is that this is a clear sign of being barraged with spam zombies, especially since we added hardly any extra sessions and they came from slightly fewer different IPs than last week.

Day	Connections	different IPs
Sunday	52,614	+16,152
Monday	70,367	+19,522
Tuesday	63,613	+15,751
Wednesday	69,844	+14,946
Thursday	54,537	+14,002
Friday	49,958	+13,420
Saturday	32,732	+8,721

In a deviation from the usual pattern, Monday was the volume peak, although Wednesday is very close on connections. The Friday and Saturday numbers make me hope that the storm has gone down, but that's probably blind optimism.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
213.4.149.12          51643   2686K terra.es
205.152.59.0/24       25471   1155K bellsouth.net
68.230.240.0/23       21810   1059K cox.net
193.178.228.8         14238    683K
213.29.7.0/24          7484    449K centrum.cz
204.202.242.0/24       5322    277K
68.168.78.0/24         5044    242K adelphia.net
208.109.78.0/24        4665    280K
213.228.185.13         4491    269K
66.106.101.58          4347    221K

By contrast, the volume here is about the same as last week. 204.202.242.0/24 (rapidsite.net) and 208.109.78.0/24 (secureserver.net) both got their entire /24s blocked because they kept retrying origin addresses that had tripped our spamtraps from lots of hosts, instead of just one or two.

• 193.178.228.8 kept trying with an origin address that had tripped our spamtraps.
• 213.228.185.13 returns from last week.
• 66.106.101.58 is in SBL57028, a listing for the source of malware/virus spam.

Connection time rejection stats:

 178565 total
  86933 bad or no reverse DNS
  78135 dynamic IP
  10020 class bl-cbl
    871 class bl-dsbl
    622 class bl-pbl
    246 class bl-sbl
    222 qsnews.net
    170 class bl-sdul
     45 class bl-njabl
     39 acceleratebiz.com

Total volume is up from last week, which is no surprise. We rejected 49,730 different IP addresses in total, which is a figure that just occurred to me to gather; this means that roughly half the different IP addresses went away in our greylisting steps.

I have read reports in NANAE that the SORBS DUL list has gone away; however, the figures here suggest that it is still alive and blocking things. Inspecting the hostnames of things that got blocked shows that a number of them seem to be real dynamic IP addresses, too.

The highest source of SBL rejections this week is SBL57113, 'speed tech inc', listed July 30th, with 143 rejections. Following it is SBL48694, returning from last week with 34 rejections, then SBL56968 from last week and SBL30718 (advance fee fraud spam source listed in September of 2005), tied with 10 rejections each. SBL57069, labeled as a spam bot belonging to the ROKSO spammer Yambo Financials, gets an honorable mention with 9 rejections.

Eighteen of the top 30 most rejected IP addresses were rejected 100 times or more this week. The leader is 86.66.150.90 (1,107 rejections), followed by 88.224.107.250 (952 rejections), 208.11.149.93 (708 rejections), and the rest have less than 500 rejections each.

Eleven of the top 30 are currently in the CBL, four are currently in bl.spamcop.net, twenty one are in the PBL, and a grand total of twenty two are in zen.spamhaus.org.

(Locally, 27 were rejected for bad or missing reverse DNS, two for being qsnews.net, and one for being in the DSBL.)

This week, Hotmail had:

• 2 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 47 messages sent to our spamtraps.
• 13 messages refused because their sender addresses had already hit our spamtraps.
• 7 messages refused due to their origin IP address (four in the CBL, one in SBL51609 (a bunch of open HTTP proxies, listed 24 February), one from the Cote d'Ivoire, and one from Burkina Faso).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	625	126	944	121
Bad bounces	82	51	229	94

The bad HELO numbers provide more evidence that the connection volume surge is mostly from spam zombies. There was no particular leading source of bad HELOs this week; the most active one was still under 50 rejections.

Bad bounces were sent to 67 different bad usernames this week, with the most popular one being RudyKirkpatrick with 10 attempts. That bad username pattern probably is the majority this week, although things like tnishii and michaeljordan keep up the good fight and there were one or two old ex-users. ezweb.ne.jp continues to show up at the top of the list of sources, but this week it was less dominant. The most amusing source of a bad bounce has to be the machine simon.bofh.ms.