Sunday, December 31. 2006
Where does your spam come from?
Ever wondered where your spam comes from? Some partial answer may be found within. We will also explain why over 98% of the Internet are a good place to be.
I let the SpamAssassin plugin which I wrote in response to SpamAssassin Bug 4770 run for a couple of days on my spamtrap. Then I wrote a small script to group the received spams by ASN (Autonomous System Number) — see the full report data.
Origin by ASN
Not surprisingly, the top spots are large end-user netblocks. “Country-bashing” or “provider-bashing” is not very helpful, because there is a very long tail of ASNs if data is aggregated by country or provider — those with the highest absolute number of computers have by the highest count of originating spam (Mr. Obvious just called…). Overall 6’477 spams originated from 982 unique ASNs
Click to enlarge
Origin by Prefix
There is an even greater variety if we do not only consider the ASNs, but also the prefixes (“IP blocks”) within these ASNs. For example spam from the top spam source (AS3352, Telefonica España) originated from no less than 70 different prefixes; the runner-up (AS3320, Deutsche Telekom) shows up only with 7 different prefixes. However this is not really meaningful, since providers announce prefixes of remarkably different sizes (Deutsche Telekom /10 to /14, Telefonica España mostly /16s).
Overall, spam was received out of 3’686 different prefixes; the distribution is somewhat less skewed than that of the ASNs – only 40 prefixes delivered more than 10 spams. If the data is normalized by the size of the prefixes, the distribution becomes almost “flat”. It’s interesting to note that there is a correlation between smaller prefixes (eg /24) and higher “penetration” of spam sources. This may indicate “dirty networks” rented out to spammers directly which tend to be typically smaller than end-user provider prefixes.
The worst non-ISP prefix happens to be 204.14.0.0/21. Senderbase.org shows that the domain name “sls-hosting.com” (registered to a postal address in Bulgaria with phone numbers in the US and connectivity by Time Warner Telecom) is used for rDNS in that prefix which has a track-record in news.admin.net-abuse.sightings — combined with the token “optin” on all their rDNS names, this looks highly suspicious. Currently only a subset (204.14.1.0/25) of that prefix seems to be used but I guess we will hear more from them in the future.
You can download the prefix distribution data here
Conclusions
Besides being a possible input to bayesian filtering, AS and prefix data are useful tool to identify “hotspots” of spam sources. It is especially useful to identify “dirty netblocks” which are big enough so that activity out of these prefixes remains under the trigger threshold for blacklists.
It would be too dangerous to rely on the gross number of spams out of a given ASN as the sole indicator; it is necessary to also take the size of individual prefixes within a given AS into account and to apply professional judgement by consulting additional sources. The “ratio” column (count * 100 / number of IP addresses) in the above linked prefix distribution data may be a first approximation.
And finally: according to Team Cymru, there are 234’168 announced prefixes on the Internet as of the time of writing this article. We received spam from 3’686 such prefixes, meaning that we did not receive spam from 98.4% of the Internet. Not so bad, after all :-)
Some great statistics there! I’ve noticed the mail from *.sls-hosting.com seems to be delivered using MTAs that pipeline (submit mail before they even see the SMTP greeting). Adding a 30 second initial ‘greet’ delay before the initial SMTP banner seems to work wonders and catches them out :-)
I provided some recent mail from *.sls-hosting.com being dropped to indicate what I mean:
— START —
[root@kangaroo qmail-smtpd]# grep -i .sls-hosting.com @4000000045a11687016a349c.s | tai64nlocal
2007-01-06 17:14:07.411140500 tcpserver: ok 28906 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.94.sls-hosting.com:204.14.1.94::45076
2007-01-06 17:14:27.794723500 tcpserver: ok 28929 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.76.sls-hosting.com:204.14.1.76::9198
2007-01-06 17:14:48.793127500 tcpserver: ok 28958 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.70.sls-hosting.com:204.14.1.70::14940
2007-01-06 19:05:35.414436500 tcpserver: ok 5097 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.99.sls-hosting.com:204.14.1.99::20805
2007-01-06 19:05:56.133262500 tcpserver: ok 5150 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.123.sls-hosting.com:204.14.1.123::36702
2007-01-06 19:06:17.248326500 tcpserver: ok 5196 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.111.sls-hosting.com:204.14.1.111::22004
2007-01-07 02:17:14.746249500 tcpserver: ok 11565 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.126.sls-hosting.com:204.14.1.126::56385
2007-01-07 02:17:35.273960500 tcpserver: ok 11584 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.102.sls-hosting.com:204.14.1.102::27889
2007-01-07 02:17:56.292339500 tcpserver: ok 11636 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.110.sls-hosting.com:204.14.1.110::27655
2007-01-07 07:52:31.431558500 tcpserver: ok 23338 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.72.sls-hosting.com:204.14.1.72::46071
2007-01-07 07:52:51.514216500 tcpserver: ok 23358 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.79.sls-hosting.com:204.14.1.79::4554
2007-01-07 07:53:12.501401500 tcpserver: ok 23408 mail.nfwebsolutions.com:67.19.148.132:25 customer.optindirectmail.71.sls-hosting.com:204.14.1.71::21957
root@kangaroo qmail-smtpd]# grep -iE greeting:.+204.14.1. *
4000000045a11687016a349c.s:40000000459fd8fd2dc09bbc qmail-smtpd: before greeting: [204.14.1.94] client disconnected
4000000045a11687016a349c.s:40000000459fd9122ceb32ec qmail-smtpd: before greeting: [204.14.1.76] client disconnected
4000000045a11687016a349c.s:40000000459fd9272d04315c qmail-smtpd: before greeting: [204.14.1.70] client disconnected
4000000045a11687016a349c.s:40000000459ff31e07b3ded4 qmail-smtpd: before greeting: [204.14.1.99] client disconnected
4000000045a11687016a349c.s:40000000459ff3330c242d5c qmail-smtpd: before greeting: [204.14.1.123] client disconnected
4000000045a11687016a349c.s:40000000459ff3481869dae4 qmail-smtpd: before greeting: [204.14.1.111] client disconnected
4000000045a11687016a349c.s:4000000045a058490dfeb1ec qmail-smtpd: before greeting: [204.14.1.126] client disconnected
4000000045a11687016a349c.s:4000000045a0585e0f19b324 qmail-smtpd: before greeting: [204.14.1.102] client disconnected
4000000045a11687016a349c.s:4000000045a05873105728ac qmail-smtpd: before greeting: [204.14.1.110] client disconnected
4000000045a11687016a349c.s:4000000045a0a6dd1c4ea694 qmail-smtpd: before greeting: [204.14.1.72] client disconnected
4000000045a11687016a349c.s:4000000045a0a6f21b848864 qmail-smtpd: before greeting: [204.14.1.79] client disconnected
4000000045a11687016a349c.s:4000000045a0a7071bbc0384 qmail-smtpd: before greeting: [204.14.1.71] client disconnected
current:@4000000045a15d94155ea26c qmail-smtpd: before greeting: [204.14.1.104] client disconnected
current:@4000000045a15da91564e3fc qmail-smtpd: before greeting: [204.14.1.105] client disconnected
[root@kangaroo qmail-smtpd]#
— END —
Quicksearch
Sicheres E-Mail
CA
Postfix
Cyrus IMAP
Apache
Signieren
Postfix: TLS erzwingen für eingehende / ausgehende Mails
TLS Statistik
Test-Script
OpenSSL Cheat Sheet
