== Some spam stats at June 25th, 2005 Another Saturday, another set of spam statistics. This week I stopped putting in IP-level blocks for high-rate connection sources so that I could gather more accurate statistics on the various DNS blocklists that we use here. Most of the statistics are from about 3:20 am Sunday the 19th, when logs rolled over; some are from about 6:10 am that Sunday, when the system rebooted. (Note that many figures are somewhat rounded off.) The basic statistics are stark: * 132,000 SMTP connection attempts since 6am Sunday, from 42,000 different IP addresses. * 43,771 connections rejected immediately since 3:20 am Sunday, from 13,256 IP addresses. ** 50% rejected because they looked too much like dynamically assigned addresses. (22,179 connections from 6,965 IP addresses) ** 29.5% rejected because they failed our requirements for good reverse DNS. (12,955 connections from 4,485 IP addresses) ** 15% rejected because of a DNSbl listing. (6,783 connections from 1,721 IP addresses) * 33,000 SMTP sessions that were allowed to talk to our actual mailer, from 1,600 IP addresses. \\ (That's only 25% of the connections, from 3.8% of the IP addresses.) * 6,200 unresolvable HELO names, from 148 IP addresses. * 1,800 attempts to send mail to nonexistent local users. * 14,000 email messages delivered, from only ~~220~~ different IP addresses. That's right: less than *one percent* of all IP addresses that connected to our SMTP port sent us any mail. Even if you count only mailers that got through IP-based greylisting and other filtering, only 13.75% actually successfully sent mail. We do per-IP-address greylisting, so it's probably the cause of the 27,000 IP addresses gap between how many total different IP addresses connected and how many IP addresses were either rejected immediately or went on to connect to our real mailer. Such IP addresses are almost certainly compromised 'zombie' machines. Rejection count by DNS blocklist: | ~~DNSBl~~ | ~~Count~~ | ~~IPs~~ | CBL | 3508 | 1319 | Spews | 1039 | 47 | SBL | 935 | 94 | list.dsbl.org | 464 | 83 | dnsbl.njabl.org | 362 | 8 | dul.dnsbl.sorbs.net | 254 | 138 | relays.ordb.org | 154 | 10 | opm.blitzed.org | 67 | 45 The people blocked by njabl and Spews are clearly the most persistent. Almost all of the njabl rejections were of _smtpout.terra.es_, which along with most of the persistent Spews sources figured in [[our firewall rejects last week IPReject-2005-06-18]]. (Fortunately, not all of last week's top 20 put in return engagements.) Our specific filtering of a lot of dynamic addresses before we check DNSbls means that the CBL and the Sorbs DUL are somewhat under-counted, since dynamic addresses are big contributors to the CBL and the only thing that's supposed to be in the DUL. (~~Updated~~: We check DNSbls in the following order, stopping at the first match: SBL, CBL, relays.ordb.org, opm.blitzed.org, list.dsbl.org, Spews, Sorbs DUL, and then dnsbl.njabl.org.) === More stats: {{CutShort:blog}} Top 10 rejection reasons, minus DNSbls: 5291 DNS unknown: APNIC bad rDNS 3189 DNS unknown: Korean bad rDNS 2567 dynamic comcast.net ?? 2105 dynamic rogers.com 1945 dynamic XXX-YYY comcast.net 1687 dynamic rr.com cablemodems 1189 Chinese spam involvement 925 DNS unknown: misc bad rDNS 803 DNS unknown: LACNIC bad rDNS 780 dynamic verizon ('DNS unknown' means that there was no PTR record for the IP address.) Top 10 rejected IPs: 1244 24.156.64.52 1068 210.51.25.177 479 70.28.124.51 389 80.19.96.76 328 213.4.129.48 298 66.176.226.248 289 219.71.162.183 196 219.239.41.163 192 62.242.198.10 192 208.188.148.252 Top 10 IPs rejected by IP-level filtering: Host/Mask Packets Bytes 65.214.61.100 6779 325K 212.216.176.0/24 4571 230K 61.128.0.0/10 3660 179K 220.160.0.0/11 2965 152K 219.128.0.0/12 1659 83144 193.41.153.65 1422 68256 218.0.0.0/11 1312 65208 222.32.0.0/11 1040 52056 218.80.0.0/14 1017 48996 (Featuring lots of our usual suspects from [[last week IPReject-2005-06-18]].) (If I was a together frood, I would generate nice pie diagrams of all of this. I'm not, so you get ASCII tables.)