Last night I shuffled our antispam rules to put checking the CBL before everything, including our per-IP-address greylisting.

Since 3:20am this morning, 83% of the connect-time SMTP rejections were due to the CBL, for 88% of the IP addresses (4,180 out of 5,000 rejections from 3,038 different IP addresses out of 3,455).

So the simple recommendation seems to be: if you can only deploy one DNS blocklist, use the CBL. (Better yet, use the XBL, since that includes the CBL as well as a few others.)

It's also a depressing testament to just how much of our SMTP load is from compromised zombie machines. Over roughly the same time period, we had successful SMTP connections from only 271 different IP addresses, which means that around 82% of the IP addresses that tried to talk to us were zombies. (And probably still are zombies.)

Some of the zombies were pretty persistent about it; the top honors goes to 213.176.122.12, with 22 connection attempts refused.