On May 1st, I zapped my 30,000th comment spam. Yesterday was the 40,000th. Here’s a chart of the count, recorded daily.

And here’s the daily rate, with a peak since May 8th (the end of the last storm) at 160 on June 6th, and a low of one on May 19th.

If you're new here, you may want to subscribe to my RSS feed. This allows you to read my newer articles without having to visit the site again. Thanks for visiting! Mike

This morning I received a string of bot spam attempts from some idiot spammer using the following as his HELO command (yes, including the braces):

HELO {bot_hostname}

Luckily Postfix rejected the conversation immediately.

Be careful if using eHealthInsurance.com. They do not honor unsubscribe requests from their mailings. I’d suggest using a unique email address so you can disable it after you’ve used their services. I’ve emailed their privacy office asking about this. If a week goes by, I’ll escalate to TRUSTe.

I originally signed up with them on October 9th, 2007, unsubscribed on March 24, 2008 (after they emailed me five months after my last contact with them), and then again today (June 2, 2008) two months after opting out.

It’s amazing what you find when digging through old backups. Another item I found was my ancient collection of mailboxes for my catchall address. In early February 2007 I finally surrendered to the spammers that were hammering my mail server. There was no hint that the spam rate was going to decrease, so the catchall went away.

This chart shows the change, from 61 messages in January 2002, to more than 85,000 in January 2007. It took until May 2002 to break 100; 11 months later to break 1,000; then until October 2004 to shatter the 10K barrier with 12,428.

If I get a few minutes free (ha!) I’ll re-enable to catchall to see how much garbage comes through.

As I mentioned yesterday when I noticed I passed the 30,000 spam comment threshold, the comment spam rate on the blog has gone through the roof. I dug out some of my old backups of my WordPress database and generated this chart showing how many spam comments I’ve received. This chart is from December 14, 2006 (8,105 spam comments) through today (31,601 spam comments).

This chart shows the daily rate of how many spam comments have been received. The peak before today was December 14-19, when I was getting 143 spam messages per day. Since yesterday the rate has been 1,154 per day.

I just deleted my 30,000th comment spam. I have no idea how high the count would have been had I not put into place several techniques that automatically block bad commenters. Those that fall into my traps don’t even get entered into the Akismet system, and so aren’t counted.

(Addendum 9:32pm: The count is now up to 30,447. That comes to one new spam comment every 63 seconds.)

Has anyone else noticed a large increase in the amount of comment spam that Akismet is missing this week? I’ve tagged and deleted more comment spam in the past week than I have in the past 6 months. I would guess across all of my WordPress sites, I’m manually tagging 10 messages a day. That is a huge increase. Are the spammers simply attacking at a higher rate? Or is Akismet not as effective as it used to be?

And why can’t Akismet learn that a comment in the format of: “eight words, all lowercase, all at least 7 letters long, a link inside an anchor tag, then the close tag, then a URL” is spam?

A setting you can make to help under WordPress 2.5: Go to the Settings tab, then the Discussion sub-tab. Under “Comment Moderation” have a “1″ for “Hold a comment in the queue if it contains __ or more links.”

While checking my logs from overnight, I saw a huge increase in the amount of spam attempts coming in. Generally I have between 50 and 100 spam attempts per hour coming in. Yesterday, the number started increasing, and is currently running at around 3,000 rejected attempts per hour. Here’s the chart of the number of blocked attempts over the past three days:

And here is the data just for Friday, March 21, showing the botnet was activated at 8:50pm Eastern time:

A few years ago, there was some spam scam outfit that would send out emails proclaiming “An individual at our website at our website is looking for information regarding: (your email address)” You’d go to the site, pay some money, and find out they really didn’t have any info about you.

I received a spam very much like that today, from EHB126.com. Links inside the scam all refer to ehb125.com. Whois lookups show that all numbers from EHB101.com to EHB136.com are registered to the same outfit: ConsumerBase LLC, 1007 Church St. 5th Floor, Evanston, IL 60201, at (847) 866-9600.

From the spam footer:

We support ethical practices. This email was sent to -address- by ConsumerBase LLC because you have not previously unsubscribed to our email solicitations. By clicking on any link in this email, except the unsubscribe one below, you are reaffirming your interest in receiving future emails. Please know that we respect your right to be taken off our email lists. Removal is automatic through our system. Please click here to start that process.

Well, let’s see how much is wrong with that statement. (1) They’ve not mailed me before. (2) They confirm they use opt-out to gather their spam lists, not opt-in. (3) Removal is automatic, yet the unsubscribe link only starts the process?

I also have never gave “Affirmative Consent” that my email address could be used by this company. In fact the address they sent their garbage to has never been used for any kind of subscription. And interestingly enough, “Affirmative Consent” is exactly 180 degrees backwards from what the footer of this messages seems to proclaim. “Affirmative Consent” sounds like confirmed opt-in, not opt-out.

Andy Sernovitz has also run across ConsumerBase before: ConsumerBase, ethics aren’t a game.

I have proactively blocked email from all domains in the range of EHB101.com through EHB136.com from abusing my server. IP addresses include: 69.30.254.114 to .125; and 69.30.202.18 to .44 (but not some in the .30 range)
ehb101.com has address 69.30.254.120
ehb101.com has address 69.30.254.118
ehb101.com has address 69.30.254.114
ehb101.com has address 69.30.254.119
ehb101.com has address 69.30.254.116
ehb101.com has address 69.30.254.117
ehb101.com has address 69.30.254.115
ehb101.com has address 69.30.254.121
ehb101.com mail is handled by 10 ehb101.com.
ehb102.com has address 69.30.254.115
ehb102.com mail is handled by 10 ehb102.com.
ehb103.com has address 69.30.254.116
ehb103.com mail is handled by 10 ehb103.com.
ehb104.com has address 69.30.254.117
ehb104.com mail is handled by 10 ehb104.com.
ehb105.com has address 69.30.254.118
ehb105.com mail is handled by 10 ehb105.com.
ehb106.com has address 69.30.254.119
ehb106.com mail is handled by 10 ehb106.com.
ehb107.com has address 69.30.254.120
ehb107.com mail is handled by 10 ehb107.com.
ehb108.com has address 69.30.254.121
ehb108.com mail is handled by 10 ehb108.com.
ehb109.com has address 69.30.254.122
ehb109.com mail is handled by 10 ehb109.com.
ehb110.com has address 69.30.254.123
ehb110.com mail is handled by 10 ehb110.com.
ehb111.com has address 69.30.254.124
ehb111.com mail is handled by 10 ehb111.com.
ehb112.com has address 69.30.254.125
ehb112.com mail is handled by 10 ehb112.com.
ehb113.com has address 69.30.202.43
ehb113.com mail is handled by 10 ehb113.com.
ehb114.com has address 69.30.202.18
ehb114.com mail is handled by 10 ehb114.com.
ehb115.com has address 69.30.202.19
ehb115.com mail is handled by 10 ehb115.com.
ehb116.com has address 69.30.202.20
ehb116.com mail is handled by 10 ehb116.com.
ehb117.com has address 69.30.202.21
ehb117.com mail is handled by 10 ehb117.com.
ehb118.com has address 69.30.202.22
ehb118.com mail is handled by 10 ehb118.com.
ehb119.com has address 69.30.202.23
ehb119.com mail is handled by 10 ehb119.com.
ehb120.com has address 69.30.202.24
ehb120.com mail is handled by 10 ehb120.com.
ehb121.com has address 69.30.202.25
ehb121.com mail is handled by 10 ehb121.com.
ehb122.com has address 69.30.202.26
ehb122.com mail is handled by 10 ehb122.com.
ehb123.com has address 69.30.202.27
ehb123.com mail is handled by 10 ehb123.com.
ehb124.com has address 69.30.202.28
ehb124.com mail is handled by 10 ehb124.com.
ehb125.com has address 69.30.202.29
ehb125.com mail is handled by 10 ehb125.com.
ehb126.com has address 69.30.202.30
ehb126.com mail is handled by 10 ehb126.com.
ehb127.com has address 69.30.202.44
ehb127.com mail is handled by 10 ehb127.com.
ehb128.com has address 69.30.202.34
ehb128.com mail is handled by 10 ehb128.com.
ehb129.com has address 69.30.202.35
ehb129.com mail is handled by 10 ehb129.com.
ehb130.com has address 69.30.202.36
ehb130.com mail is handled by 10 ehb130.com.
ehb131.com has address 69.30.202.37
ehb131.com mail is handled by 10 ehb131.com.
ehb132.com has address 69.30.202.38
ehb132.com mail is handled by 10 ehb132.com.
ehb133.com has address 69.30.202.39
ehb133.com mail is handled by 10 ehb133.com.
ehb134.com has address 69.30.202.40
ehb134.com mail is handled by 10 ehb134.com.
ehb135.com has address 69.30.202.41
ehb135.com mail is handled by 10 ehb135.com.
ehb136.com has address 69.30.202.42
ehb136.com mail is handled by 10 ehb136.com.

The IP addresses are all assigned to Wholesaleinternet.com. Abuse report filed with them.

One of my clients complained to me that some of their email wasn’t being delivered. I investigated and discovered that email to them through my server was being bounced. The error message in the maillog was:

Feb 25 10:44:59 server1 postfix/smtp[607]: 852EA400001: to=, relay=mail.global.bigfish.com[216.32.180.22], delay=2, status=bounced (host mail.global.bigfish.com[216.32.180.22] said: 550 Service unavailable; Client host [64.34.170.90] blocked using 88.blacklist.zap; Mail From IP Banned To request removal from this list please forward this message to delist@frontbridge.com (in reply to RCPT TO command))

Visiting Frontbridge.com takes you to a page at Microsoft.com. Frontbridge is apparently Microsoft’s hosted Exchange servers. So I emailed that message to the address given in the bounce message, and got an auto-acknowledgment that they would look into removing my server from the block. This morning I got an email that my IP has been safelisted. But:

As long as this IP address does not continue to send a majority of spam, messages will continue to be allowed to route through our network. If this IP address gets relisted after a period of time, further assessment of this IP would be required and the removal process would be more difficult.

So I emailed and asked what spam they think my server had been sending. The response:

The 88.blacklist.zap is an internal list generated with logs from our spam filtering engines. IP addresses may end up on this list if a certain percentage of the mail received by our network from that IP address is marked as spam by our filters for a given period of time. For example 90 percent of the mail is spam for 15 days. The thresholds are variable and may change as needed to ensure the safety of our network.

When the IP address is listed in the blacklist, all emails coming into our network from that IP address are blocked without going further into our filters.

We do not keep a copy of spam messages in our server. After the IP address has been safelisted, we cannot provide you traces or logs of spams prior to being delisted.

So if I have no idea what messages are triggering their alarms, I can’t fight the problem. I can’t even protest, since I don’t think I’m sending spam. Which probably means I’ll be losing a client if I get blacklisted again by Frontbridge.

Through watching the logs, I think I’ve figured it out. I use Mailman to manage mailing lists. For that client, the list is set to reject any message sent to the list from a non-subscriber. That message though is forwarded to the list-owner. So the 100 spam messages that are sent to that list everyday were being forwarded to my client. Frontbridge saw those messages and concluded they were spam. I’ve turned that option off, so now my client won’t get those refused messages. Hopefully no one on the list will accidentally use the wrong address to post, because no one will get a warning they tried to do that.