Some spam stats at June 25th, 2005
Another Saturday, another set of spam statistics. This week I stopped putting in IP-level blocks for high-rate connection sources so that I could gather more accurate statistics on the various DNS blocklists that we use here.
Most of the statistics are from about 3:20 am Sunday the 19th, when logs rolled over; some are from about 6:10 am that Sunday, when the system rebooted. (Note that many figures are somewhat rounded off.)
The basic statistics are stark:
- 132,000 SMTP connection attempts since 6am Sunday, from 42,000 different IP addresses.
- 43,771 connections rejected immediately since 3:20 am Sunday, from
13,256 IP addresses.
- 50% rejected because they looked too much like dynamically assigned addresses. (22,179 connections from 6,965 IP addresses)
- 29.5% rejected because they failed our requirements for good reverse DNS. (12,955 connections from 4,485 IP addresses)
- 15% rejected because of a DNSbl listing. (6,783 connections from 1,721 IP addresses)
- 33,000 SMTP sessions that were allowed to talk
to our actual mailer, from 1,600 IP addresses.
(That's only 25% of the connections, from 3.8% of the IP addresses.)
- 6,200 unresolvable HELO names, from 148 IP addresses.
- 1,800 attempts to send mail to nonexistent local users.
- 14,000 email messages delivered, from only 220 different IP addresses.
That's right: less than one percent of all IP addresses that connected to our SMTP port sent us any mail. Even if you count only mailers that got through IP-based greylisting and other filtering, only 13.75% actually successfully sent mail.
We do per-IP-address greylisting, so it's probably the cause of the 27,000 IP addresses gap between how many total different IP addresses connected and how many IP addresses were either rejected immediately or went on to connect to our real mailer. Such IP addresses are almost certainly compromised 'zombie' machines.
Rejection count by DNS blocklist:
The people blocked by njabl and Spews are clearly the most persistent.
Almost all of the njabl rejections were of
smtpout.terra.es, which along
with most of the persistent Spews sources figured in
our firewall rejects last week.
(Fortunately, not all of last week's top 20 put in return engagements.)
Our specific filtering of a lot of dynamic addresses before we check DNSbls means that the CBL and the Sorbs DUL are somewhat under-counted, since dynamic addresses are big contributors to the CBL and the only thing that's supposed to be in the DUL.
(Updated: We check DNSbls in the following order, stopping at the first match: SBL, CBL, relays.ordb.org, opm.blitzed.org, list.dsbl.org, Spews, Sorbs DUL, and then dnsbl.njabl.org.)