Mail rejection stats for our external mail gateway
In my recent spam filtering stats, I noted that some spam was rejected before it made it to the spam tagging and filtering system. Well, here's some stats on roughly that; specifically, on how much email our external mail gateway rejects at SMTP time for various reasons. The numbers here are for almost the same seven day time period as the previous stats; there is about a six and a half hour difference in coverage due to when the two systems roll their logs (one does it at midnight, one does it at 6:30am or so).
So, over seven days we:
- accepted 90,511 email messages in total
- rejected 5,798
MAIL FROM
s, 2,690 for having unresolvable domains and 3,108 for being from our domain but having unknown local users. - rejected 24,876
RCPT TO
s, for all sorts of reasons:- 13,393 unknown local usernames.
- 8,350 sender IPs that were in DNS blocklists; 6,496 were in the CBL (which we check first) and 1,854 were in Spamhaus Zen.
- 2,237 relay attempts; to my surprise, these appear to be real and serious attempts.
- 778 attempts to mail addresses that don't accept outside email.
- 117 attempts to send mail to obsolete domains that we explicitly block.
- 1 attempt by a persistent source that we have specifically blocked from mailing their marketing materials to our NOC address (and they've kept trying for years despite that).
The two surprises that stand out in this are how frequently spammers
attempt to forge email as from our own domains and how many relay
attempts there are. I'm not terribly surprised that unresolvable MAIL
FROM
domains are relatively uncommon; as I've said before, spammers
are smart enough to notice what doesn't work
and unresolvable MAIL FROM
s haven't worked for a long time.
I'm not going to try to estimate the additional 'real' spam volume here,
because in part it depends on your assumptions. For example, should we
consider all email rejected due to unresolvable MAIL FROM
domains as
spam? Probably some of them are simply incompetent but real domains,
and only some of them are spammers that are either making up domains or
having their domains canceled out from underneath them.
(General information on our spam filtering is in CSLabSpamFiltering. While that was written in 2007, almost nothing has changed since then in our setup although I'm sure that the Sophos PureMessage people have been evolving it madly. Such is one of the benefits of outsourcing most of your anti-spam system.)
|
|