Some spam stats at June 25th, 2005
Another Saturday, another set of spam statistics. This week I stopped putting in IP-level blocks for high-rate connection sources so that I could gather more accurate statistics on the various DNS blocklists that we use here.
Most of the statistics are from about 3:20 am Sunday the 19th, when logs rolled over; some are from about 6:10 am that Sunday, when the system rebooted. (Note that many figures are somewhat rounded off.)
The basic statistics are stark:
- 132,000 SMTP connection attempts since 6am Sunday, from 42,000 different IP addresses.
- 43,771 connections rejected immediately since 3:20 am Sunday, from
13,256 IP addresses.
- 50% rejected because they looked too much like dynamically assigned addresses. (22,179 connections from 6,965 IP addresses)
- 29.5% rejected because they failed our requirements for good reverse DNS. (12,955 connections from 4,485 IP addresses)
- 15% rejected because of a DNSbl listing. (6,783 connections from 1,721 IP addresses)
- 33,000 SMTP sessions that were allowed to talk
to our actual mailer, from 1,600 IP addresses.
(That's only 25% of the connections, from 3.8% of the IP addresses.)
- 6,200 unresolvable HELO names, from 148 IP addresses.
- 1,800 attempts to send mail to nonexistent local users.
- 14,000 email messages delivered, from only 220 different IP addresses.
That's right: less than one percent of all IP addresses that connected to our SMTP port sent us any mail. Even if you count only mailers that got through IP-based greylisting and other filtering, only 13.75% actually successfully sent mail.
We do per-IP-address greylisting, so it's probably the cause of the 27,000 IP addresses gap between how many total different IP addresses connected and how many IP addresses were either rejected immediately or went on to connect to our real mailer. Such IP addresses are almost certainly compromised 'zombie' machines.
Rejection count by DNS blocklist:
The people blocked by njabl and Spews are clearly the most persistent.
Almost all of the njabl rejections were of
smtpout.terra.es, which along
with most of the persistent Spews sources figured in
our firewall rejects last week.
(Fortunately, not all of last week's top 20 put in return engagements.)
Our specific filtering of a lot of dynamic addresses before we check DNSbls means that the CBL and the Sorbs DUL are somewhat under-counted, since dynamic addresses are big contributors to the CBL and the only thing that's supposed to be in the DUL.
(Updated: We check DNSbls in the following order, stopping at the first match: SBL, CBL, relays.ordb.org, opm.blitzed.org, list.dsbl.org, Spews, Sorbs DUL, and then dnsbl.njabl.org.)
Top 10 rejection reasons, minus DNSbls:
5291 DNS unknown: APNIC bad rDNS 3189 DNS unknown: Korean bad rDNS 2567 dynamic comcast.net ?? 2105 dynamic rogers.com 1945 dynamic XXX-YYY comcast.net 1687 dynamic rr.com cablemodems 1189 Chinese spam involvement 925 DNS unknown: misc bad rDNS 803 DNS unknown: LACNIC bad rDNS 780 dynamic verizon
('DNS unknown' means that there was no PTR record for the IP address.)
Top 10 rejected IPs:
1244 188.8.131.52 1068 184.108.40.206 479 220.127.116.11 389 18.104.22.168 328 22.214.171.124 298 126.96.36.199 289 188.8.131.52 196 184.108.40.206 192 220.127.116.11 192 18.104.22.168
Top 10 IPs rejected by IP-level filtering:
Host/Mask Packets Bytes 22.214.171.124 6779 325K 126.96.36.199/24 4571 230K 188.8.131.52/10 3660 179K 184.108.40.206/11 2965 152K 220.127.116.11/12 1659 83144 18.104.22.168 1422 68256 22.214.171.124/11 1312 65208 126.96.36.199/11 1040 52056 188.8.131.52/14 1017 48996
(Featuring lots of our usual suspects from last week.)
(If I was a together frood, I would generate nice pie diagrams of all of this. I'm not, so you get ASCII tables.)