Some spam stats at June 25th, 2005

June 26, 2005

Another Saturday, another set of spam statistics. This week I stopped putting in IP-level blocks for high-rate connection sources so that I could gather more accurate statistics on the various DNS blocklists that we use here.

Most of the statistics are from about 3:20 am Sunday the 19th, when logs rolled over; some are from about 6:10 am that Sunday, when the system rebooted. (Note that many figures are somewhat rounded off.)

The basic statistics are stark:

  • 132,000 SMTP connection attempts since 6am Sunday, from 42,000 different IP addresses.
  • 43,771 connections rejected immediately since 3:20 am Sunday, from 13,256 IP addresses.
    • 50% rejected because they looked too much like dynamically assigned addresses. (22,179 connections from 6,965 IP addresses)
    • 29.5% rejected because they failed our requirements for good reverse DNS. (12,955 connections from 4,485 IP addresses)
    • 15% rejected because of a DNSbl listing. (6,783 connections from 1,721 IP addresses)
  • 33,000 SMTP sessions that were allowed to talk to our actual mailer, from 1,600 IP addresses.
    (That's only 25% of the connections, from 3.8% of the IP addresses.)
  • 6,200 unresolvable HELO names, from 148 IP addresses.
  • 1,800 attempts to send mail to nonexistent local users.
  • 14,000 email messages delivered, from only 220 different IP addresses.

That's right: less than one percent of all IP addresses that connected to our SMTP port sent us any mail. Even if you count only mailers that got through IP-based greylisting and other filtering, only 13.75% actually successfully sent mail.

We do per-IP-address greylisting, so it's probably the cause of the 27,000 IP addresses gap between how many total different IP addresses connected and how many IP addresses were either rejected immediately or went on to connect to our real mailer. Such IP addresses are almost certainly compromised 'zombie' machines.

Rejection count by DNS blocklist:

DNSBl Count IPs
CBL 3508 1319
Spews 1039 47
SBL 935 94 464 83 362 8 254 138 154 10 67 45

The people blocked by njabl and Spews are clearly the most persistent. Almost all of the njabl rejections were of, which along with most of the persistent Spews sources figured in our firewall rejects last week. (Fortunately, not all of last week's top 20 put in return engagements.)

Our specific filtering of a lot of dynamic addresses before we check DNSbls means that the CBL and the Sorbs DUL are somewhat under-counted, since dynamic addresses are big contributors to the CBL and the only thing that's supposed to be in the DUL.

(Updated: We check DNSbls in the following order, stopping at the first match: SBL, CBL,,,, Spews, Sorbs DUL, and then

More stats:

Top 10 rejection reasons, minus DNSbls:

   5291 DNS unknown: APNIC bad rDNS
   3189 DNS unknown: Korean bad rDNS
   2567 dynamic ??
   2105 dynamic
   1945 dynamic XXX-YYY
   1687 dynamic cablemodems
   1189 Chinese spam involvement
    925 DNS unknown: misc bad rDNS
    803 DNS unknown: LACNIC bad rDNS
    780 dynamic verizon

('DNS unknown' means that there was no PTR record for the IP address.)

Top 10 rejected IPs:


Top 10 IPs rejected by IP-level filtering:

Host/Mask           Packets   Bytes          6779    325K       4571    230K          3660    179K         2965    152K         1659   83144          1422   68256           1312   65208          1040   52056          1017   48996

(Featuring lots of our usual suspects from last week.)

(If I was a together frood, I would generate nice pie diagrams of all of this. I'm not, so you get ASCII tables.)

Written on 26 June 2005.
« An open letter to free webmail providers
Dangerously over-broad error catching »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jun 26 02:09:01 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.