Some spam stats at June 25th, 2005
Another Saturday, another set of spam statistics. This week I stopped putting in IP-level blocks for high-rate connection sources so that I could gather more accurate statistics on the various DNS blocklists that we use here.
Most of the statistics are from about 3:20 am Sunday the 19th, when logs rolled over; some are from about 6:10 am that Sunday, when the system rebooted. (Note that many figures are somewhat rounded off.)
The basic statistics are stark:
- 132,000 SMTP connection attempts since 6am Sunday, from 42,000 different IP addresses.
- 43,771 connections rejected immediately since 3:20 am Sunday, from
13,256 IP addresses.
- 50% rejected because they looked too much like dynamically assigned addresses. (22,179 connections from 6,965 IP addresses)
- 29.5% rejected because they failed our requirements for good reverse DNS. (12,955 connections from 4,485 IP addresses)
- 15% rejected because of a DNSbl listing. (6,783 connections from 1,721 IP addresses)
- 33,000 SMTP sessions that were allowed to talk
to our actual mailer, from 1,600 IP addresses.
(That's only 25% of the connections, from 3.8% of the IP addresses.) - 6,200 unresolvable HELO names, from 148 IP addresses.
- 1,800 attempts to send mail to nonexistent local users.
- 14,000 email messages delivered, from only 220 different IP addresses.
That's right: less than one percent of all IP addresses that connected to our SMTP port sent us any mail. Even if you count only mailers that got through IP-based greylisting and other filtering, only 13.75% actually successfully sent mail.
We do per-IP-address greylisting, so it's probably the cause of the 27,000 IP addresses gap between how many total different IP addresses connected and how many IP addresses were either rejected immediately or went on to connect to our real mailer. Such IP addresses are almost certainly compromised 'zombie' machines.
Rejection count by DNS blocklist:
| DNSBl | Count | IPs |
| CBL | 3508 | 1319 |
| Spews | 1039 | 47 |
| SBL | 935 | 94 |
| list.dsbl.org | 464 | 83 |
| dnsbl.njabl.org | 362 | 8 |
| dul.dnsbl.sorbs.net | 254 | 138 |
| relays.ordb.org | 154 | 10 |
| opm.blitzed.org | 67 | 45 |
The people blocked by njabl and Spews are clearly the most persistent.
Almost all of the njabl rejections were of smtpout.terra.es, which along
with most of the persistent Spews sources figured in
our firewall rejects last week.
(Fortunately, not all of last week's top 20 put in return engagements.)
Our specific filtering of a lot of dynamic addresses before we check DNSbls means that the CBL and the Sorbs DUL are somewhat under-counted, since dynamic addresses are big contributors to the CBL and the only thing that's supposed to be in the DUL.
(Updated: We check DNSbls in the following order, stopping at the first match: SBL, CBL, relays.ordb.org, opm.blitzed.org, list.dsbl.org, Spews, Sorbs DUL, and then dnsbl.njabl.org.)
More stats:
Top 10 rejection reasons, minus DNSbls:
5291 DNS unknown: APNIC bad rDNS
3189 DNS unknown: Korean bad rDNS
2567 dynamic comcast.net ??
2105 dynamic rogers.com
1945 dynamic XXX-YYY comcast.net
1687 dynamic rr.com cablemodems
1189 Chinese spam involvement
925 DNS unknown: misc bad rDNS
803 DNS unknown: LACNIC bad rDNS
780 dynamic verizon
('DNS unknown' means that there was no PTR record for the IP address.)
Top 10 rejected IPs:
1244 24.156.64.52
1068 210.51.25.177
479 70.28.124.51
389 80.19.96.76
328 213.4.129.48
298 66.176.226.248
289 219.71.162.183
196 219.239.41.163
192 62.242.198.10
192 208.188.148.252
Top 10 IPs rejected by IP-level filtering:
Host/Mask Packets Bytes 65.214.61.100 6779 325K 212.216.176.0/24 4571 230K 61.128.0.0/10 3660 179K 220.160.0.0/11 2965 152K 219.128.0.0/12 1659 83144 193.41.153.65 1422 68256 218.0.0.0/11 1312 65208 222.32.0.0/11 1040 52056 218.80.0.0/14 1017 48996
(Featuring lots of our usual suspects from last week.)
(If I was a together frood, I would generate nice pie diagrams of all of this. I'm not, so you get ASCII tables.)
|
|