Some CBL stats for the week ending on April 22nd, 2006

April 23, 2006

As mentioned in this week's spam summary, this week I decided to change our SMTP frontend's configuration to get statistics on the CBL that were better than my previous quick SMTP connection stats. Now that this week's up, the results are in:

  • the CBL rejected 41% of our incoming SMTP connections this week.
  • 75% of the connection we rejected were rejected for being in the CBL.
  • more tellingly, 85% of the IP addresses that we rejected at connection time were rejected for being in the CBL.

Looking at how often each CBL-listed IP address tried to connect to us:

1 try 2 tries 3 tries 4 tries 5-10 tries 11-20 tries more
61.9% 16.8% 9.3% 3.5% 6.4% 1.3% 0.7%

This is startlingly different than the quick stats from a couple of weeks ago, and I have no explanation why. It seems that at least this week, most of the zombie machines are not reused; they get one rejection and then that's it. It's possible that current ratware treats 5xx SMTP rejections differently than 4xx rejections; our rejections were all 5xx ones.

Looking only at the IP addresses that tried 11 times or more (494 out of 24,256 total IP addresses), the average is 32 rejections per IP, but the median is 15 rejections, the 75% level is 35 rejections, and the 90% level is 61 rejections. There's one IP with 490 rejections, five with between 200 and 240, 19 with between 100 and 199, 86 with 50 to 99 rejections, and 81 with 20 to 49 rejections. If I knew more about gnuplot, I would do up a nice accumulated density chart or the like.

I did up some rough 'distance' numbers, crudely measuring how far apart the earliest and the latest rejections were for IP addresses that tried more than once. It's a fairly wide distributions; some IP addresses made attempts throughout the entire week (and these were not prolific IP addresses). For example:

  • made 5 attempts between Apr 16 03:40:13 and Apr 23 02:06:56.
  • made 9 attempts between Apr 16 04:11:12 and Apr 23 02:10:23.
  • made 13 attempts between Apr 16 04:28:28 and Apr 23 02:09:50.
  • made 4 attempts between Apr 16 03:55:07 and Apr 23 02:40:46.

I'm wary of my statistical analysis, so I'll just quote one more figure: 41% of the IP addresses that tried more than once made a connection a day (or more) after their first one. (This may be understating the case, since I haven't filtered out IP addresses that first got rejected less than 24 hours ago.)

Tentative conclusion: zombie machines do get reused, but many of them get reused only slowly.

Finally, let's look at our CBL rejections broken down by their ASN. This is a reasonably good proxy for how much of a zombie source various ISPs and countries are for us.

# of different IPs ASN (owner)
1570 AS4766 Korea Telecom (Korea)
1492 AS4837 China169 (China)
1106 AS4134 Chinanet (China)
900 AS19262 Verizon (US)
519 AS9318 Hanaro (Korea)
395 AS12322 Proxad (France)
384 AS3352 Telefonica (Spain)
357 AS6478 AT&T Worldnet (US)
355 AS20115 Charter Communications (US)
285 AS5462 Telewest Broadband (England)

Many of the usual suspects from SpamByASN and XBLStats-2005-08-06 show up again, like bad pennies.

(There are probably additional interesting numbers to run that I just can't think of at the moment.)

Written on 23 April 2006.
« Weekly spam summary on April 22nd, 2006
The sort of command line I can wind up typing »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Apr 23 03:35:32 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.