SMTP IP firewall stats at June 18th, 2005
We maintain a filter list of bad hosts and network areas that can't talk to our SMTP port at all; their SMTP packets are silently discarded. The filter list is reinitialized each time the server reboots, currently once a week. During the week we add various spam sources and high volume sources of other rejections to the filters on a dynamic basis.
As the server does its weekly reboot at 6 AM Sunday morning, right now is a great time to pull a top-N summary from the kernel's firewall statistics. So, here are the top 20 sources of rejected packets to this server over the past nearly 7 days:
Host/Mask Packets Bytes 188.8.131.52 7768 356K [a] [njabl] 184.108.40.206 4539 218K [a] [bad-helo] 220.127.116.11/10 4356 215K 18.104.22.168 4169 200K [a] [bad-helo] 22.214.171.124/11 3313 161K 126.96.36.199 2955 177K [a] [baddns] 188.8.131.52 2696 129K [a] [cbl] 184.108.40.206 2683 129K [a] [dialup] [cbl] 220.127.116.11/11 2577 126K 18.104.22.168 2492 150K [a] [njabl] 22.214.171.124/12 2435 123K 126.96.36.199 2425 116K 188.8.131.52 2359 142K [a] [spews] 184.108.40.206 2088 125K [a] [flushot] 220.127.116.11 1949 93552 [a] [dialup] [cbl] 18.104.22.168/24 1893 85360 22.214.171.124 1824 109K [a] [flushot] 126.96.36.199 1719 82512 [a] [bad-helo] 188.8.131.52/24 1654 86576 184.108.40.206/13 1584 78068
[a]: entry was added during the week as a high-count rejection source.
[baddns]: IP lacks a good PTR record.
[bad-helo]: tried to say hi with a bad SMTP
[cbl]: IP in
[dialup]: IP seems to be in a dynamic/dialup address range.
[flushot]: IP address sent email to our spamtraps.
[njabl]: IP in
[spews]: IP in the SPEWS DNSbl.
This isn't a particularly active server for mail in general; we usually get about 1,000 to 2,000 incoming real mail messages a day (mostly from mailing lists).
I believe that 220.127.116.11 (smtpout.terra.es), 18.104.22.168 (mail1002.centrum.cz), and 22.214.171.124 (mailout06.infosat.net) are all involved in providing free email. And apparently doing a bad job of stopping spammers from using it. Both 126.96.36.199 and 188.8.131.52 would have been rejected by later blocks as well, blocks we set up due to them sending us spam.
Due to a long-term spam problem, we have a number of Chinese netblocks that we aren't interested in accepting email from. In this listing, that's 184.108.40.206/10, 220.127.116.11/11, 18.104.22.168/11, 22.214.171.124/12, and 126.96.36.199/13.
tin.it, an Italian ISP that had yet to get
HELO greetings correct by the time I gave up and firewalled them.
liberato.it, another Italian ISP with a
significant spam problem that we've just stopped talking to. (On a
quick spot check it seems to also be
iol.it; they may have merged,
been bought out, or renamed since I put them in our filter list.)
188.8.131.52 kept trying to send us email from the blocked origin address of 'firstname.lastname@example.org', week after week after week. At some point I just put them in our core filter list instead of adding them every week. I don't consider their continued attempts to send us email despite everything bouncing for months to be a good sign.
Note: because we drop incoming packets from these IP addresses on the floor and don't reply to them in any way, this is not an accurate count of even SMTP connection attempts. (One SMTP connection attempt will produce a number of packets to our SMTP port, depending on how much their OS retries TCP connection attempts.)
By the time you read this, some of these IP addresses may no longer be in the DNSbls listed. Because this is IP level firewalling, we can't say anything definite about whether what these places are trying to send us is spam; we've just decided that we don't want to talk to them at all.
(Some of the SMTP connection attempts are probably for bounce
backscatter from spammers forging our domain as the
MAIL FROM of
their spam runs.)