Some stats and notes on relay attempts for our external mail gateway
October 31, 2012
After discovering something attempting some open relay checks, I got curious about whether this was a one-off or if there were clear signs of other open relay checks. To give you a spoiler, the answer is that I can't completely tell because there is a bunch of noise in my data (and on top of that I'm not sure how to analyze it), but it seems possible.
What I can easily get from Exim's logs is triples of IP address,
(I admit that somewhere around here it becomes very tempting to pour
all of this data into SQLite and start doing ad hoc queries, because
I could really use some
My raw data covers about 90 days of logs and has 18,290 such triples.
These relay attempts come from 1880 different source IPs; out of
these, 540 IPs only occur once (so they connected, did a
The most active source IPs used multiple
(From previous stats I know that
spammers forge a lot of bad local usernames on their
The top destination domains are mostly Asian. Counting only unique would-be recipients (of which there were 17500), the top five domains are:
There were 3104 unique senders and their top five origin domains look sort of similar, but much more evenly distributed:
I think that this is as much random bits and pieces as I want to throw out right now. Part of my problem is that I'm not sure what useful or interesting statistics I can generate from this data, although it feels like there should be something interesting there.
Written on 31 October 2012.
* * *
Atom feeds are available; see the bottom of most pages.