Wandering Thoughts archives


SMTP IP firewall stats at June 18th, 2005

We maintain a filter list of bad hosts and network areas that can't talk to our SMTP port at all; their SMTP packets are silently discarded. The filter list is reinitialized each time the server reboots, currently once a week. During the week we add various spam sources and high volume sources of other rejections to the filters on a dynamic basis.

As the server does its weekly reboot at 6 AM Sunday morning, right now is a great time to pull a top-N summary from the kernel's firewall statistics. So, here are the top 20 sources of rejected packets to this server over the past nearly 7 days:

Host/Mask           Packets   Bytes           7768    356K	[a] [njabl]           4539    218K	[a] [bad-helo]          4356    215K           4169    200K	[a] [bad-helo]         3313    161K          2955    177K	[a] [baddns]          2696    129K	[a] [cbl]           2683    129K	[a] [dialup] [cbl]           2577    126K           2492    150K	[a] [njabl]         2435    123K          2425    116K             2359    142K	[a] [spews]          2088    125K	[a] [flushot]           1949   93552	[a] [dialup] [cbl]        1893   85360           1824    109K	[a] [flushot]            1719   82512	[a] [bad-helo]       1654   86576         1584   78068

The key:

  • [a]: entry was added during the week as a high-count rejection source.
  • [baddns]: IP lacks a good PTR record.
  • [bad-helo]: tried to say hi with a bad SMTP HELO name.
  • [cbl]: IP in cbl.abuseat.org.
  • [dialup]: IP seems to be in a dynamic/dialup address range.
  • [flushot]: IP address sent email to our spamtraps.
  • [njabl]: IP in dnsbl.njabl.org.
  • [spews]: IP in the SPEWS DNSbl.

This isn't a particularly active server for mail in general; we usually get about 1,000 to 2,000 incoming real mail messages a day (mostly from mailing lists).

I believe that (smtpout.terra.es), (mail1002.centrum.cz), and (mailout06.infosat.net) are all involved in providing free email. And apparently doing a bad job of stopping spammers from using it. Both and would have been rejected by later blocks as well, blocks we set up due to them sending us spam.

Due to a long-term spam problem, we have a number of Chinese netblocks that we aren't interested in accepting email from. In this listing, that's,,,, and is tin.it, an Italian ISP that had yet to get HELO greetings correct by the time I gave up and firewalled them. is liberato.it, another Italian ISP with a significant spam problem that we've just stopped talking to. (On a quick spot check it seems to also be iol.it; they may have merged, been bought out, or renamed since I put them in our filter list.) kept trying to send us email from the blocked origin address of 'info@salesrecruits.imakenews.net', week after week after week. At some point I just put them in our core filter list instead of adding them every week. I don't consider their continued attempts to send us email despite everything bouncing for months to be a good sign.

Note: because we drop incoming packets from these IP addresses on the floor and don't reply to them in any way, this is not an accurate count of even SMTP connection attempts. (One SMTP connection attempt will produce a number of packets to our SMTP port, depending on how much their OS retries TCP connection attempts.)


By the time you read this, some of these IP addresses may no longer be in the DNSbls listed. Because this is IP level firewalling, we can't say anything definite about whether what these places are trying to send us is spam; we've just decided that we don't want to talk to them at all.

(Some of the SMTP connection attempts are probably for bounce backscatter from spammers forging our domain as the MAIL FROM of their spam runs.)

spam/IPReject-2005-06-18 written at 22:27:45; Add Comment

By day for June 2005: 11 12 14 16 17 18 20 21 22 23 24 26 27 28 29; after June.

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.