2005-06-18
SMTP IP firewall stats at June 18th, 2005
We maintain a filter list of bad hosts and network areas that can't talk to our SMTP port at all; their SMTP packets are silently discarded. The filter list is reinitialized each time the server reboots, currently once a week. During the week we add various spam sources and high volume sources of other rejections to the filters on a dynamic basis.
As the server does its weekly reboot at 6 AM Sunday morning, right now is a great time to pull a top-N summary from the kernel's firewall statistics. So, here are the top 20 sources of rejected packets to this server over the past nearly 7 days:
Host/Mask Packets Bytes 213.4.129.48 7768 356K [a] [njabl] 192.35.251.3 4539 218K [a] [bad-helo] 61.128.0.0/10 4356 215K 216.7.201.43 4169 200K [a] [bad-helo] 220.160.0.0/11 3313 161K 195.46.148.28 2955 177K [a] [baddns] 65.194.220.21 2696 129K [a] [cbl] 24.156.64.52 2683 129K [a] [dialup] [cbl] 218.0.0.0/11 2577 126K 213.29.7.174 2492 150K [a] [njabl] 219.128.0.0/12 2435 123K 65.214.61.100 2425 116K 66.18.69.6 2359 142K [a] [spews] 24.222.77.233 2088 125K [a] [flushot] 62.219.46.43 1949 93552 [a] [dialup] [cbl] 193.70.192.0/24 1893 85360 212.47.15.29 1824 109K [a] [flushot] 12.31.56.73 1719 82512 [a] [bad-helo] 212.216.176.0/24 1654 86576 221.216.0.0/13 1584 78068
The key:
[a]: entry was added during the week as a high-count rejection source.[baddns]: IP lacks a good PTR record.[bad-helo]: tried to say hi with a bad SMTPHELOname.[cbl]: IP incbl.abuseat.org.[dialup]: IP seems to be in a dynamic/dialup address range.[flushot]: IP address sent email to our spamtraps.[njabl]: IP indnsbl.njabl.org.[spews]: IP in the SPEWS DNSbl.
This isn't a particularly active server for mail in general; we usually get about 1,000 to 2,000 incoming real mail messages a day (mostly from mailing lists).
I believe that 213.4.129.48 (smtpout.terra.es), 213.29.7.174 (mail1002.centrum.cz), and 66.18.69.6 (mailout06.infosat.net) are all involved in providing free email. And apparently doing a bad job of stopping spammers from using it. Both 213.29.7.174 and 66.18.69.6 would have been rejected by later blocks as well, blocks we set up due to them sending us spam.
Due to a long-term spam problem, we have a number of Chinese netblocks that we aren't interested in accepting email from. In this listing, that's 61.128.0.0/10, 220.160.0.0/11, 218.0.0.0/11, 219.128.0.0/12, and 221.216.0.0/13.
212.216.176.0/24 is tin.it, an Italian ISP that had yet to get
HELO greetings correct by the time I gave up and firewalled them.
193.70.192.0/24 is liberato.it, another Italian ISP with a
significant spam problem that we've just stopped talking to. (On a
quick spot check it seems to also be iol.it; they may have merged,
been bought out, or renamed since I put them in our filter list.)
65.214.61.100 kept trying to send us email from the blocked origin address of 'info@salesrecruits.imakenews.net', week after week after week. At some point I just put them in our core filter list instead of adding them every week. I don't consider their continued attempts to send us email despite everything bouncing for months to be a good sign.
Note: because we drop incoming packets from these IP addresses on the floor and don't reply to them in any way, this is not an accurate count of even SMTP connection attempts. (One SMTP connection attempt will produce a number of packets to our SMTP port, depending on how much their OS retries TCP connection attempts.)
Disclaimer
By the time you read this, some of these IP addresses may no longer be in the DNSbls listed. Because this is IP level firewalling, we can't say anything definite about whether what these places are trying to send us is spam; we've just decided that we don't want to talk to them at all.
(Some of the SMTP connection attempts are probably for bounce
backscatter from spammers forging our domain as the MAIL FROM of
their spam runs.)