Wandering Thoughts archives

Weekly spam summary on September 29th, 2007

This week, we:

• got 11,909 messages from 265 different IP addresses.
• handled 26,934 sessions from 2,995 different IP addresses.
• received 297,885 connections from at least 101,029 different IP addresses.
• hit a highwater of 16 connections being checked at once.

Volume is a bit up from last week. Looking at the numbers I am reminded of how striking the number of different IP addresses is; the average connection source made less than three connections to us, where the average session source made nine connections (and the average mail source probably did even better, since that is an average of about 44 messages per IP).

Day	Connections	different IPs
Sunday	40,875	+14,708
Monday	39,537	+16,197
Tuesday	38,779	+14,952
Wednesday	59,611	+17,304
Thursday	49,560	+14,939
Friday	37,500	+10,877
Saturday	32,023	+12,052

Apparently the spammers are back to abusing us on Wednesdays.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
72.249.13.64/26       19977   1096K otcpicknews.com
213.180.130.0/24      17928   1076K onet.pl
89.18.190.60          13567    814K
68.168.78.0/24        11478    551K adelphia.net
213.29.7.0/24         10808    648K centrum.cz
66.15.119.165          9019    422K
68.230.240.0/23        8400    408K cox.net
139.55.101.14          8287    421K
202.5.93.20            8082    388K
212.170.236.211        6257    375K

Volume is significantly up from last week.

• 89.18.190.60 returns from last week.
• 66.15.119.165 kept trying to send us bad HELOs and returns from a previous appearance in Feburary.
• 139.55.101.14 is something we consider a dynamic IP.
• 202.5.93.20 is an APNIC IP address with broken reverse DNS.
• 212.170.236.211 kept trying with a bad HELO.

(It warms the black cockles of my heart to see that throwing otcpicknews.com's other netblock straight into our kernel filters was absolutely the right thing to do.)

Connection time rejection stats:

  83117 total
  41427 bad or no reverse DNS
  35442 dynamic IP
   4001 class bl-cbl
    332 class bl-dsbl
    291 acceleratebiz.com
    261 class bl-pbl
    255 class bl-sdul
    188 class bl-sbl
    125 qsnews.net
     86 class bl-njabl
     42 officepubs.com
     24 verticalresponse.com

Perversely, volume is down here compared to last week. The highest source of SBL rejections this week was SBL58952 with 66 rejections (a recent listing for a spam source), followed by last week's leading contents of SBL53319 with 25 rejections and SBL48694 with 23 rejections. (Better luck next time, you two! Oh wait, what am I saying? Please drop off the Internet.)

Seventeen of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 124.157.174.227 (1,412 rejections), followed by 203.134.218.225 (1,375 rejections) and 61.7.132.40 (301 rejections). Five are currently in the CBL, two are currently in bl.spamcop.net, six are currently in the PBL, and a grand total of (only) eight are zen.spamhaus.org. I don't know why these numbers are so low.

(Locally, 20 were rejected for bad or missing reverse DNS, 8 for being dynamic IP addresses, one for being in the NJABL, one for being in the DSBL. Two of those have since changed their status and would not be blocked now.)

This week, Hotmail had:

• 4 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 27 messages sent to our spamtraps.
• no messages refused because their sender addresses had already hit our spamtraps.
• 1 message refused due to its origin IP address being from the Cote d'Ivoire.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	5489	399	1379	190
Bad bounces	1521	1115	287	200

Ah. Well. That would explain a certain amount of everything; we seem to have been forged as a spam origin in a big way, judging by how these numbers have jumped so dramatically. The leading source of bad HELOs this week was 64.109.69.81 (218 attempts), followed by 84.12.142.111 (89 attempts), 202.134.71.85 (83 attempts), and then a lot more.

Bad bounces were sent to 1,421 different bad usernames this week, with the most popular one being grabes with 19 attempts, followed by NortonPinero with 10. SHOUGEE returns from last week with 3 attempts, mixed in with all sorts of others that I am not going to try to pick through, including ex-users.

My pick for the most ironic source of bad bounces this week has to be AntiSpam.Awesome.net. (No and no, respectively.)

The first rule of free email-based services

The first rule of free email-based services is simple:

Spammers will exploit any way of sending user-supplied text to random email addresses.

Let me repeat that: any way. Any way at all. Spammers are very ingenious, and it does not matter what you call the actual feature; if they can put in user-supplied text and then mail it off to people, they will use it to spam. Since it is 2007 and spam through free webmail providers is not exactly a surprising new development, if you create a feature that allows people to do this and do not give it very good spam protections, you are a moron (or worse).

(It also does not matter if you wrap the user-supplied text in some other text. If the spammers have enough room for even a brief advance fee fraud spam text, they will use it.)

The latest offender here is Google Calendar's 'send a calendar entry to some random email address' feature, but there have been others, including greeting cards ('hi I am sending you this greeting card in the name of MRS MARIAM ABACHA of Nigeria'), invitations to join mailing lists, and even Yahoo's similar feature with their free calendaring service.

(Google Calendar really irritates me, both because abuse@google.com blows you off with an autoresponder claim that no google.com machine emits spam (blatantly false in this case) and because it is probably too important to just block outright.)

Weekly spam summary on September 22nd, 2007

This week, we:

• got 11,888 messages from 260 different IP addresses.
• handled 20,811 sessions from 1,729 different IP addresses.
• received 271,365 connections from at least 102,972 different IP addresses.
• hit a highwater of 9 connections being checked at once.

I'm pleased to see connection volume drop significantly from last week. This week's per-day statistics look almost normal, too:

Day	Connections	different IPs
Sunday	46,483	+18,212
Monday	49,646	+17,650
Tuesday	34,683	+14,289
Wednesday	32,308	+13,475
Thursday	38,414	+13,308
Friday	38,751	+14,073
Saturday	31,080	+11,965

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
216.41.61.61          16851    809K
213.180.130.0/24      12063    724K onet.pl
68.230.240.0/23        9770    475K cox.net
213.29.7.0/24          7424    445K centrum.cz
206.123.109.0/27       6497    358K otcpicknews.com
89.18.190.60           5531    332K
195.112.224.80         5026    248K
216.185.19.4           4812    231K
72.249.13.83           4446    244K
193.77.153.1           3675    176K

Volume is once again down from last week. To make up for it, we have another top ten problem source subnet, in this case onet.l (specifically poczta.onet.pl).

• 216.41.61.61 is in the DSBL
• 89.18.190.60, 195.112.224.80, and 216.185.19.4 all kept trying to send us email with origin addresses that had already tripped our spamtraps.
• 72.249.13.83 is another tendril of the otcpicknews.com empire of unwanted email, and returns from February.
• 193.77.153.1 kept trying with a bad HELO.

Connection time rejection stats:

  92546 total
  48536 bad or no reverse DNS
  38122 dynamic IP
   3872 class bl-cbl
    421 class bl-pbl
    359 class bl-dsbl
    156 qsnews.net
     99 class bl-sdul
     77 class bl-sbl
     22 class bl-njabl

The highest source of SBL rejections this week was a tie: SBL48694 (returning from last week) and SBL30718 each had 13 rejections each. Third place goes to SBL53319 (a /20 listing from May 1st 2007), with 10 rejections.

Seven of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 210.56.124.250 (510 rejections), followed by 121.148.227.160 (482 rejections), 200.107.150.182 (389 rejections), and 210.56.127.222 (328 rejections). Eleven of the top 30 are currently in the CBL, eight are currently in bl.spamcop.net, twenty are in the PBL, and a grand total of twenty three are in zen.spamhaus.org.

(Locally, 22 were rejected for bad or missing reverse DNS, 6 for being dynamic IP addresses, and 2 for being qsnews.net.)

This week, Hotmail had:

• no messages accepted.
• 1 message rejected because it came from a non-Hotmail email address.
• 48 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 4 messages refused due to their origin IP address (one in SBL33955, which dates from 2005, one in SBL36952, which also more or less dates from 2005, one in the CBL, and one from saix.net).

I find it depressing that the two SBL listings above both have example Hotmail-based spam from back then. Almost two years and Hotmail still doesn't seem to give a damn.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1379	190	1522	180
Bad bounces	287	200	125	71

The leading source of bad HELOs this week was 64.61.89.186 (62 attempts), followed by 64.66.69.182 (61 attempts), 202.64.146.28 (58 attempts), and 64.207.89.21 and 195.172.133.158 (54 attempts each). Interestingly, only the second tried a .local name; one tried a completely impossible name, but the other three tried plausible but nonexistent ones.

Bad bounces were sent to 268 different bad usernames this week, with the most popular one being SHOUGEE with 6 attempts. Other representative bad usernames included oiwzy, kato-ru, golf1992, kakada_Piotrowski, and ElvisDixon; the targets also included several real ex-users and noreply.

My pick for the most amusingly named source of bad bounces this week is littleboy.regenology.co.uk, although kryptonic.ch comes close. Google continues to send us bad bounces, along with the other usual suspects.

Weekly spam summary on September 15th, 2007

This week, we:

• got 11,963 messages from 272 different IP addresses.
• handled 20,658 sessions from 1,625 different IP addresses.
• received 433,498 connections from at least 123,409 different IP addresses.
• hit a highwater of 8 connections being checked at once.

Volume is down a fair bit from last week, although it is nowhere near the levels I would like it to be at. The daily volume stats show major swings throughout the week:

Day	Connections	different IPs
Sunday	41,934	+18,483
Monday	50,481	+16,750
Tuesday	82,442	+18,106
Wednesday	81,613	+17,540
Thursday	73,869	+19,751
Friday	62,399	+20,100
Saturday	40,760	+12,679

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
206.123.109.0/27      23682   1306K otcpicknews.com
68.230.240.0/23       18260    887K cox.net
72.249.13.81          15825    870K
213.29.7.0/24         11265    676K centrum.cz
71.85.201.136         10054    603K
207.188.79.237         7854    388K
62.105.78.18           6290    302K
67.78.182.166          6090    292K
62.105.73.23           5684    341K
67.101.244.202         5181    249K

Volume is actually down a bit from last week, somewhat to my surprise, apparently because the top sources this week weren't as active as the top sources last week. Also, rather to my shock, most of the webmail advance fee fraud netblocks have fallen out of the top ten.

• 72.249.13.81 returns from last week and quite a number of weeks before, still beaconresearchnews.com. Apparently they can't take a hint.
• 71.85.201.136 and 67.101.244.202 are dynamic IP addresses.
• 207.188.79.237, 62.105.78.18, and 67.78.182.166 kept trying with bad HELO greetings.
• 62.105.73.23 kept trying to send us phish spam that had already tripped our spamtraps.

Connection time rejection stats:

 192650 total
 106734 bad or no reverse DNS
  75182 dynamic IP
   7801 class bl-cbl
    679 class bl-pbl
    346 class bl-dsbl
    165 class bl-sdul
     91 class bl-njabl
     90 qsnews.net
     68 71.6.140.0/24
     43 class bl-sbl

The 71.6.140.0/24 subnet belongs to something called 'Bushido Marketing', bushidomarketing.com. Due to various events we have decided that we are not interested in accepting email from them; looking at the list of domain names trying to talk to us, I don't think we're missing anything we want. You would think that people want to have their email accepted would pick better domain names than easyinternetdeal.com, newmoneyonline.com, and hotbusinessforyou.com.

The highest source of SBL rejections this week is SBL48694 with 10 rejections, who return from third place last week.

Sixteen of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 58.34.210.69 (250 rejections), followed by 88.241.170.220 (214 rejections) and 201.220.91.208 (206 rejections). Twenty of the top 30 are currently in the CBL, one is currently in bl.spamcop.net, twenty one are in the PBL, and a grand total of twenty seven are in zen.spamhaus.org.

(Locally, 22 were rejected for bad or missing reverse DNS, 7 for being dynamic IP addresses, and one for being versanet.de.)

This week Hotmail had:

• 3 messages accepted.
• 1 message rejected because it came from a non-Hotmail email address.
• 28 messages sent to our spamtraps.
• 2 messages refused because their sender addresses had already hit our spamtraps.
• 1 message refused due to its origin IP address being in the Cote d'Ivoire.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1522	180	1794	187
Bad bounces	125	71	481	285

The leading source of bad HELOs this week is 67.104.144.210 (61 attempts), a machine with a terribly generic xo.net reverse DNS and a HELO that ended in .local. Everything else was under 50 attempts.

Bad bounces were sent to 105 different bad usersnames this week, with the most popular one being a tie between narcisogxqky and macqueen with 6 attempts each; SHOUGEE made a valiant try with 5 attempts. Other representative bad usernames include KimWhite, tinga188, sat-i, and Raffi187.

This week's most active single source is the informatively named host.vngt.vn; the one I find the most amusing, or perhaps the most apt, is bulk.resource.org. Other contributions came from ezweb.ne.jp, verizon.net, softbank.ne.jp, and to my displeasure, a number from Google.

Weekly spam summary on September 8th, 2007

This week, we:

• got 10,541 messages from 243 different IP addresses.
• handled 22,006 sessions from 1,956 different IP addresses.
• received 515,114 connections from at least 130,401 different IP addresses.
• hit a highwater of 10 connections being checked at once.

Connection volume has jumped significantly from last week and session volume is up, which suggests that our simplistic greylisting stuff is no longer working quite as well as it used to.

Day	Connections	different IPs
Sunday	66,287	+19,898
Monday	81,716	+20,201
Tuesday	77,800	+22,654
Wednesday	76,168	+20,254
Thursday	79,948	+17,648
Friday	87,905	+16,866
Saturday	45,290	+12,880

If I want to be optimistic I could see the Saturday figure as the spammers behind the onslaught deciding to give up on it for now, but I'm not sure that I'm that optimistic.

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
68.230.240.0/23       24358   1183K cox.net
168.95.4.0/24         24110   1108K hinet.net
64.18.147.0/24        19951   1197K
206.123.109.0/27      19181   1054K otcpicknews.com
72.249.13.81          12028    660K
68.99.120.0/24         8064    379K coxmail.com
68.168.78.0/24         6751    324K adelphia.net
213.29.7.0/24          6508    390K centrum.cz
195.140.132.28         5824    319K
128.121.79.13          4802    237K

This is up significantly from last week, probably partly because I was aggressive about throwing webmail advance fee fraud spam /24s into the kernel blocks.

• 64.18.147.0/24 is the home of abovev.com, as mentioned last week, along with some fluteu.com hosts.
• 72.249.13.81 returns from last week and several weeks before. The odds of them getting the hint appear to be low.
• 195.140.132.28 kept trying with what appears to have been phish spam.
• 128.121.79.13 returns from last week.

Connection time rejection stats:

 245556 total
 159938 bad or no reverse DNS
  74505 dynamic IP
   7569 class bl-cbl
    784 class bl-pbl
    726 class bl-sbl
    255 class bl-sdul
    228 class bl-dsbl
     14 class bl-njabl

This is up a heck of a lot from last week, which doesn't really surprise me. The highest source of SBL rejections this week is the same as last week: SBL57946, with 536 rejections. Following them is SBL44331, a /24 of the ROKSO-listed Expedite Media Group, with 52 rejections, SBL51995, a machine that seems to have been spamming since March 5th 2007, with 30 rejections, and SBL48694 with 20 rejections.

All thirty of the top 30 most rejected IP addresses this week were rejected 100 times or more. The leader is 89.0.109.102 (1,588 rejections), followed by 58.61.48.1 (913 rejections), 88.238.85.117 (760 rejections), and 77.193.206.154 (608 rejections). Fourteen of the top 30 are currently in the CBL, fifteen are currently in bl.spamcop.net, twenty one are in the PBL, and a grand total of 28 are in zen.spamhaus.org. One of the two IP addresses not in zen.spamhaus.org is in bl.spamcop.net; the other one is a Chinese IP address with no reverse DNS that seems to be running a Microsoft mailer.

(Locally, 29 were rejected for having bad or missing reverse DNS and 1 for being a dynamic IP.)

This week Hotmail had:

• 3 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 31 messages sent to our spamtraps.
• 12 messages refused because their sender addresses had already hit our spamtraps.
• 1 messages refused due to its origin IP address being in the CBL.

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	1794	187	607	133
Bad bounces	481	285	51	23

The leading source of bad HELOs this week is 65.64.169.122 (81 attempts), followed by 70.54.227.99 (72 attempts), 200.43.240.207 (65 attempts), and 212.113.174.31 (62 attempts). The latter is one of netcabo.pt's outgoing mail servers, and I suspect that we wouldn't want to talk to them even if they could get their HELO names to look good.

Bad bounces were sent to 388 different bad usernames this week, with the most popular one being ShaunStanton with 39 attempts, closely followed by bhikhu_Dagastino with 36 attempts. Other representative bad usernames include lubomila, gojyahyafa, and yama326. One bad bounce was sent to an all-numeric username this week, 92047204.

The leading source of bad bounces this week was 87.216.221.27, followed by 200.198.125.180; other contributions came from the usual suspects, including ezweb.ne.jp and softbank.ne.jp. Several came from Google machines, to my disappointment.

Weekly spam summary on September 1st, 2007

This week, we:

• got 10,298 messages from 262 different IP addresses.
• handled 19,100 sessions from 1,599 different IP addresses.
• received 373,200 connections from at least 118,510 different IP addresses.
• hit a highwater of 14 connections being checked at once.

This is about the same volume as last week. We continue to have a lot of spam zombies hitting us, but this week they seem to have shifted towards the weekend:

Day	Connections	different IPs
Sunday	64,543	+21,955
Monday	62,519	+18,537
Tuesday	47,022	+17,692
Wednesday	47,829	+15,393
Thursday	43,019	+13,973
Friday	44,451	+14,954
Saturday	63,817	+16,006

Kernel level packet filtering top ten:

Host/Mask           Packets   Bytes
206.123.109.0/27      31267   1720K otcpicknews.com
68.230.240.0/23       18881    917K cox.net
72.249.13.81          12354    679K
128.121.79.13          6214    307K
213.29.7.0/24          6183    371K centrum.cz
204.202.2.242          5048    249K
194.150.111.66         4389    241K
76.204.42.226          4058    192K
24.6.46.2              3347    161K
216.40.44.0/24         2899    159K

Volume is down significantly compared to last week, but the real big news is that several of the usual suspects aren't even in the picture, especially 213.4.149.12, a terra.es mailserver that has been maintaining a death grip on the top slot for several weeks now.

• 72.249.13.81 returns from last week.
• 128.121.79.13, 204.202.2.242, and 194.150.111.66 all kept trying to send us email with an origin address that had already tripped our spamtraps.
• 76.204.42.226 and 24.6.46.2 are both things we consider dynamic IP addresses.

Connection time rejection stats:

 172775 total
  86025 dynamic IP
  76495 bad or no reverse DNS
   7354 class bl-cbl
    592 class bl-pbl
    351 qsnews.net
    291 class bl-sbl
    217 class bl-dsbl
    138 209.74.245.0/26
    137 class bl-sdul
     69 cuttingedgemedia.com
     48 72.18.198.0/24
     10 class bl-njabl

The highest source of SBL rejections this week is SBL57946 with 158 rejections; Spamhaus lists this /28 for having 'spam sources' and quotes a message from fluteu.com for offerm.info. This explains why fluteu.com looked like such a familiar name when I poked into another subnet to see what else it had besides a lot of very active hosts of an abovev.com (which was sending for one rockc.info). The next up SBL listing is SBL56968 with 36 rejections, an apparently hacked webserver sending advance fee fraud spam, followed by SBL48694 with 26 rejections.

A depressing twenty seven of the top 30 most rejected IP addresses were rejected 100 times or more this week; the leader is 221.6.15.4 (1,004 rejections), followed by 222.103.62.26 (606 rejections), 216.213.172.11 (306 rejections for being qsnews.net), and 81.193.16.157 (202 rejections). Seventeen of the top 30 are currently in the CBL, fourteen are currently in bl.spamcop.net, twenty one are in the PBL, and a grand total of twenty five are in zen.spamhaus.org.

(Locally, 18 were rejected for bad or missing reverse DNS, 10 for being dynamic IPs, 1 for being kornet.net, and 1 for being qsnews.net.)

This week, Hotmail had:

• 3 messages accepted.
• no messages rejected because they came from non-Hotmail email addresses.
• 51 messages sent to our spamtraps.
• 3 messages refused because their sender addresses had already hit our spamtraps.
• 7 messages refused due to their origin IP address (two in SBL51609, one in SBL38278, one from saix.net, one from Ghana, one from the Cote d'Ivoire, and one from the United Arab Emirates).

And the final numbers:

what	# this week	(distinct IPs)	# last week	(distinct IPs)
Bad HELOs	607	133	949	168
Bad bounces	51	23	162	121

There was no big source of bad HELOs this week; the most prolific source had only 27 rejections.

Bad bounces were sent to 44 different bad usernames this week, with the most popular one being kouta09 with 3 attempts (SHOUGEE, last week's leader, is in a many-way tie for second place at 2 attempts). Other representative bad usernames include cttvlowqneh, t-ishizaka, and LynnHowell; there were also some ex-users. Interestingly, one of the FirstLast bad usernames is the real name of one of our actual users, which I am going to chalk up to complete coincidence.

This week's most amusing source of bad bounces is a US Army machine called bouncedr1.us.army.mil. Otherwise the list of sources is dominated by ezweb.ne.jp, verizon.net, softbank.ne.jp, and Earthlink.