PGTS PGTS Pty. Ltd.   ACN: 007 008 568

point Site Navigation

point Other Blog Threads



  Valid HTML 4.01 Transitional

   Stop The Internet Filter!

   No Clean Feed

   The Internet Filter Is An Ex-parrot!






PGTS Humble Blog

Thread: Internet Security/Malware/Spam

GP JPG
The era of the political assassin is over, and thank God for that. -- Tony Abbott, August 2018

Another Spam La Nina Year


Chronogical Blog Entries:



Date: Fri, 31 Aug 2012 23:48:33 +1000

At the end of August, it seems that spam is well settled into a regular business cycle. And there are definite signs of weekly cyclical activity. All indicators point to a big Spammy September.

In a previous blog post, your blogger presented a summary of statistics for the first half of 2012. Since the data gathered before June 2010 does not include firewall and RTBL stats, it is not possible to consolidate this data with earlier data stored in the spam stats database.

All indicators so far are that the we are heading for the annual spring peak in spam. Something dear reader, that you can look forward to with something less than enthusiasm.

Spam Stats PGTS August 2012
Consolidated Stats PGTS Mailhub, August 2012.

After one of the longest droughts on record, the Eastern side of Australia finally experienced some wet weather in 2011 ... And the wet weather continues in 2012. There are however, ominous signs that 2013 will be another El Nino year for Australia. For Australian webizens, however, it seems that every year is a Spam La Nina. When it comes to spam there are no signs of an imminent drought. Rather the reverse in fact, we can expect a flood of spam this spring.

It is also quite interesting to drill down into the figures for August. The following graph shows the daily spam statistics captured at the PGTS mailhub.

Daily Spam Stats PGTS August 2012
Daily Spam Stats PGTS Mailhub, August 2012.

The first trend that is apparent from the above graph is a pronounced spike around Tuesday and Wednesday. It seems that when it comes to spam, we have at least four Super Tuesdays every month! The second trend which is clearly visible is an overall upward trend for the whole month. This seems to confirm that we are heading towards a big spammy September as spammers all around the world get ready for the Spring Festival ... Or should that be "the Autumn Festival"? ... Considering that so many spammers seem to come from the Northern Hemisphere?.

And now that the Olympic season is coming to an end, your blogger can announce the results in spam prevention:

  1. A gold medal for the Spamhaus Zen RTBL which stopped 60% of all inbound spam at the firewall. The Zen RTBL has the advantage of being the first line of defence. And it is particularly effective at taking out Microsoft zombies.
  2. And although in the silver medal position, the Spamcop RTBL does an excellent job of cleaning up the remainder of known spamhubs, swatting down another 26.8% of inbound spam. Between them, these top two defenders knock out 86.8% of inbound spam, stopping them dead in their tracks, as soon as they commence negotiations with the MTA. This represents a considerable saving in bandwidth and processing time.
  3. And although a long way behind these two champions, the indefatigable Spam Assassin, in bronze medal position, does a superb job of taking out 5.4% of all inbound spam. And it is every bit as much a champion as the two RTBLs. Using Bayesian analysis, this first rate open source product also examines the 2% of spam that gets through to user inboxes. It goes after the one thing spammers often change but find difficult to completely disguise ... The content.
  4. Another 3.4% of inbound spam is rejected by postfix. This includes attempting to use RELAY (2.2%) and using malformed email addresses (1.2%).
  5. In humble last position (1.4%) is the watch-dog script written by your own humble blogger, which examines various logfiles and adds suspect hosts to the postfix block list.

And while we are handing out accolades, your blogger must hand out a brick-bat to Microsoft for their useless content filter which is nothing more than thinly-veiled attempt to block any email that is not HTML email formatted like email from Microsoft Outlook. This useless filter does not attempt to examine the content and will automatically reject any text only email. And more brick-bats for the MCEs who upgrade to the latest version of Exchange and leave the worthless "Content Filter" enabled by default.

And some brick-bats for Saudi Arabia India and the USA, who finished as the top three countries for spam in August 2012. And a special dishonourable mention for the USA which consistently finishes in the top three, despite being one of the first countries to pass legislation against spam. Perhaps tax payers would have got better value for money if the US had made a donation to Spamhaus and Spamcop, who do more to combat spam in a single day's operation than the US Govt and enforcement regimes have done since they banned the activity.


Outstanding Contributions to BUCE

What's in a name? That which we call a rose
By any other name would smell as sweet.

-- Romeo and Juliet

While legislation has little effect on the levels of spam ... It has changed the nature of a particular type of spam ... Namely BUCE (Bulk Unsolicited Commercial Email). Prior to the legislation there was little distinction between BUCE and spam. And in your blogger's humble eyes there remains no distinction. These days however, many spammers strive to give the appearance of complying to the requirement that they include "opt-out" provisions with their communications.

The vast majority of spam about Viagra, 911 scams, cheap mortgages and/or Malware/phishing bait are easily removed with the standard tools of RTBL and Spam Assassin.. Persistent BUCE is more difficult to filter and it can take Spam Assassin longer to respond ... Which is all quite reasonable. One would not wish to "assassinate" useful email from genuine mail-lists.

Two case studies of BUCE follow:

Publicity Monster

Recently Age Technology reporter Ben Grubb has written about Timothy Sabre and his company, Publicity Monster, whose attempts at Publicity have back-fired somewhat and proven that there is indeed such a thing as "Bad Publicity". Although your blogger only recently heard about Mr. Sabre, News of his activities, prompted a search of the spam database. As it turned out there has been the occasional unsolicited email sent to this domain from Publicity Monster. A summary follows:
Timestamp AEST IP Address Method Agent Reported "From" Zone
2011-07-21 01:07 208.76.24.51 Reported Spam Assassin news@publicitymonster.com.au
2011-08-31 02:08 208.76.24.42 Reported Spam Assassin info@publicitymonster.com.au
2011-09-20 12:09 208.76.24.39 Reported Spam Assassin info@publicitymonster.com.au
2011-09-20 12:09 208.76.24.39 Reported Spam Assassin info@publicitymonster.com.au
2011-10-04 10:10 208.76.24.48 Reported Spam Assassin adwords@publicitymonster.com.au
2011-10-04 10:10 208.76.24.48 Reported Spam Assassin adwords@publicitymonster.com.au
2011-10-04 10:10 208.76.24.48 Reported Spam Assassin adwords@publicitymonster.com.au
2011-11-01 11:11 208.76.24.47 Content Spam Assassin facebookfans@publicitymonster.com.au
2011-11-01 11:11 208.76.24.47 Content Spam Assassin facebookfans@publicitymonster.com.au
2011-11-17 03:11 208.76.24.40 Reported Spam Assassin adwords@publicitymonster.com.au
2011-11-29 01:11 208.76.24.38 Reported Spam Assassin adwords@publicitymonster.com.au
2011-12-06 02:12 208.76.24.38 Reported Spam Assassin adwords@publicitymonster.com.au
2011-12-13 08:12 208.76.24.38 Reported Spam Assassin adwords@publicitymonster.com.au
2012-01-31 11:01 208.76.24.44 Content Spam Assassin adwords@publicitymonster.com.au
2012-02-21 10:02 208.76.24.43 Reported Spam Assassin adwords@publicitymonster.com.au
2012-03-13 10:03 208.76.24.47 Content Spam Assassin adwords@publicitymonster.com.au
2012-04-03 01:04 208.76.24.40 Content Spam Assassin adwords@publicitymonster.com.au
2012-05-09 10:05 208.76.24.45 Reported Spam Assassin adwords@publicitymonster.com.au

All of the above BUCE was sent to an email address which was most likely harvested by a spambot or hand-spam agent. All of it was blocked by or reported to Spam Assassin. The construction techniques varied ... And included incorrect spellings of the salutation and/or fabricated mis-addressed salutations such as 'Hi Tim ... Thought you might be interested in ...' etc.

The servers which actually dispatched these emails all belonged to the INFUSIONMAIL.COM netblock, registered by GODADDY.COM in Gilbert, Arizona. These servers all appear to be used for "online marketing" and were owned by INFUSIONSOFT.COM, also registered by GODADDY.COM, at the same Arizona address. Infusionsoft offer CRM, Email and Social Marketing and E-commerce services to small businesses.

Cheap Flights (AU)

At the begining of June, a user reported being being annoyed by email from CHEAPFLIGHTS.COM.AU. The email had started arriving in April, and had been sent to various addresses that are published on the Internet. All the mail originated from servers in the same netblock in the CHEAPFLIGHTS.COM.AU domain. This domain is registered by TUCOWS Inc in the name of "Cheapflights Limited UK". It seemed likely that the recipient email addresses had been harvested by spambots and/or hand-spam agents.

In June all the email which had been sent via the mailhub was retrospectively reported to Spam Assassin and the firewall watchdog. The details of the cheapflights BUCE is as follows:
Timestamp AEST IP Address Method Agent Reported "From" Zone
2012-04-12 02:04 82.211.67.35 550 5.1.1 Bad_recipient_addr bounce-18106269-41607386@list.cheapflights.com.au
2012-04-12 01:04 82.211.67.36 550 5.1.1 Bad_recipient_addr bounce-18121496-41607616@list.cheapflights.com.au
2012-04-12 01:04 82.211.67.36 550 5.1.1 Bad_recipient_addr bounce-18121496-41607386@list.cheapflights.com.au
2012-04-28 11:04 82.211.67.35 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-04-28 11:04 82.211.67.35 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-01 01:05 82.211.67.35 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-01 01:05 82.211.67.35 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-01 01:05 82.211.67.37 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-01 01:05 82.211.67.37 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-03 08:05 82.211.67.35 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-03 09:05 82.211.67.36 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-03 09:05 82.211.67.36 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-05 08:05 82.211.67.37 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-05 08:05 82.211.67.37 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-07 09:05 82.211.67.36 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-07 09:05 82.211.67.36 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-09 08:05 82.211.67.35 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-09 08:05 82.211.67.36 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-11 09:05 82.211.67.37 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-14 09:05 82.211.67.36 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-14 09:05 82.211.67.36 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-21 09:05 82.211.67.35 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-21 09:05 82.211.67.35 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-23 09:05 82.211.67.35 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-23 09:05 82.211.67.35 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-25 09:05 82.211.67.37 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-25 09:05 82.211.67.37 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-28 09:05 82.211.67.37 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-28 09:05 82.211.67.37 **Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-05-30 09:05 82.211.67.37 554 5.7.1 Watchdog Reject bounce-18590466-41587200@list.cheapflights.com.au
2012-06-04 09:06 82.211.67.37 554 5.7.1 Watchdog Reject bounce-18624176-41587200@list.cheapflights.com.au
2012-06-07 09:06 82.211.67.37 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-06-07 09:06 82.211.67.37 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-06-09 09:06 82.211.67.37 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-06-09 09:06 82.211.67.37 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-06-11 07:06 82.211.67.36 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-06-11 07:06 82.211.67.36 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-06-15 08:06 82.211.67.36 554 5.7.1 Watchdog Reject bounce-18743692-41587200@list.cheapflights.com.au
2012-06-18 11:06 82.211.67.35 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-06-18 11:06 82.211.67.35 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-06-20 09:06 82.211.67.35 554 5.7.1 Watchdog Reject bounce-18777714-41587200@list.cheapflights.com.au
2012-06-25 11:06 82.211.67.36 554 5.7.1 Watchdog Reject bounce-18800418-41587200@list.cheapflights.com.au
2012-06-25 12:06 82.211.67.36 554 5.7.1 Watchdog Reject bounce-18800422-37414520@list.cheapflights.com.au
2012-06-29 09:06 82.211.67.35 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-06-29 09:06 82.211.67.36 554 5.7.1 Watchdog Reject bounce-18817196-41587200@list.cheapflights.com.au
2012-07-04 09:07 82.211.67.36 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-07-04 09:07 82.211.67.35 554 5.7.1 Watchdog Reject bounce-18831673-37414520@list.cheapflights.com.au
2012-07-06 09:07 82.211.67.36 554 5.7.1 Watchdog Reject bounce-18847508-37414520@list.cheapflights.com.au
2012-07-06 09:07 82.211.67.36 554 5.7.1 Watchdog Reject bounce-18847510-41587200@list.cheapflights.com.au
2012-07-09 09:07 82.211.67.35 554 5.7.1 Watchdog Reject bounce-18872793-41587200@list.cheapflights.com.au
2012-07-11 09:07 82.211.67.37 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-07-11 09:07 82.211.67.36 554 5.7.1 Watchdog Reject bounce-18882186-37414520@list.cheapflights.com.au
2012-07-16 09:07 82.211.67.37 554 5.7.1 Watchdog Reject bounce-18917607-41587200@list.cheapflights.com.au
2012-07-19 11:07 82.211.67.37 554 5.7.1 Watchdog Reject bounce-18949825-41587200@list.cheapflights.com.au
2012-07-25 07:07 82.211.67.35 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-07-30 09:07 82.211.67.36 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-08-02 09:08 82.211.67.35 554 5.7.1 Watchdog Reject bounce-19020858-41587200@list.cheapflights.com.au
2012-08-06 09:08 82.211.67.36 554 5.7.1 Watchdog Reject bounce-19046859-41587200@list.cheapflights.com.au
2012-08-09 09:08 82.211.67.38 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-08-15 11:08 82.211.67.38 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-08-16 09:08 82.211.67.36 550 5.1.1 Bad_recipient_addr bounce-19140072-50255097@list.cheapflights.com.au
2012-08-16 09:08 82.211.67.35 550 5.1.1 Bad_recipient_addr bounce-19140072-50267067@list.cheapflights.com.au
2012-08-21 09:08 82.211.67.38 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-08-23 09:08 82.211.67.35 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-08-27 09:08 82.211.67.36 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-08-27 09:08 82.211.67.35 554 5.7.1 Watchdog Reject bounce-19218507-50255097@list.cheapflights.com.au
2012-08-27 09:08 82.211.67.35 554 5.7.1 Watchdog Reject bounce-19218507-50267067@list.cheapflights.com.au
2012-08-28 09:08 82.211.67.37 Reported Spam Assassin cheapflights@list.cheapflights.com.au
2012-08-28 10:08 82.211.67.37 554 5.7.1 Watchdog Reject bounce-19221646-50255097@list.cheapflights.com.au
2012-08-28 10:08 82.211.67.37 554 5.7.1 Watchdog Reject bounce-19221646-50267067@list.cheapflights.com.au
2012-08-31 09:08 82.211.67.35 554 5.7.1 Watchdog Reject bounce-19232086-41587200@list.cheapflights.com.au

Note: [**] Retrospectively reported.

An interesting trend can be seen in above data. It seems that CHEAPFLIGHTS.COM.AU have a "nice" division and a "not so nice" division. The following table summarises the output from the 4 servers in this netblock:
IP Address Total
82.211.67.35 24
82.211.67.36 23
82.211.67.37 21
82.211.67.38 3

The "not so nice" servers in the three lower addresses are more prolific. The lowest two IP addresses (35 and 36) occasionally employ malformed email addresses. The "nice" server at the highest address, 82.211.67.38, behaves much more politely ... Respectfully sending the occasional email a few times each month to an email that the "not-so-nice" servers have probed. All the email, from nice and not-so nice servers has been carefully constructed, purports to be legitimate and offers "opt-out" provisions in accordance with the "letter of the law". And yet none of the addressees in emails that arrived at the PGTS mailhub had "opted-in" or "signed up" to receive spam from these "mailing lists".

Since the content of these emails has been so carefully crafted, Spam Assassin has been, to date, reluctant to mark it up as "definitely spam" (i.e assign a weight greater than or equal to five). However since being reported to the watch-dog script the content is being constantly logged with Spam Assassin... This will make an interesting test of the algorithms that the watch-dog script employs ... Your blogger will be monitoring this case from time to time, to see how long it takes the automated process to pick up on something which to the human eye is immediately obvious i.e. It is spam --- Or we could be philosophical and ponder the question that Juliet poses --- ("What's in a name?").

Note: The Cisco Ironport Senderbase site, which rates email hubs by their reputation, reports that 82.211.67.38 (nice server) has a "good" reputation, whereas the other servers have "neutral" reputations. Senderbase has put a "red flag" next to 82.211.67.36 (high activity and no reverse lookup).


Both Publicity Monster and Cheap Flights (AU) deserve an award for contributions to BUCE ... And your humble blogger cannot think of an appropriate award ... Perhaps a package of old fish guts and prawn heads wrapped in old newspaper? ... Which certainly would not smell as sweet as a rose ... In fact it might have a distinctly "spammy" odour.


Other Blog Posts In This Thread:

Copyright     2012, Gerry Patterson. All Rights Reserved.