XBL rejection stats, August 6th 2005
As a followup to my SBL rejection stats, here are similar numbers for the XBL (which includes the CBL as well as some other sources). Like those stats, this is based on connection time rejections over the the past 28 days and change.
The basic stats are reasonably striking: over that time period, we rejected 34,000 different IP addresses. 13,500 of them (over half) are in the XBL now. (They may or may not have been at the time of their rejection.)
Recast by the number of rejections, we have 110,000 total, of which 43,800 are from XBL-listed IP addresses.
A more interesting breakdown is by the number of IPs in a given ASN; this says more or less what places are the largest problem source for XBL listings.
|# of different IPs||ASN||(owner)|
|557||AS9318||Hanaro Telecom (Korea)|
|315||AS4837||CNCGROUP China169 Backbone|
|266||AS6830||UPC Distribution Services (Europe)|
|264||AS12322||Proxad ISP (France)|
|223||AS22047||VTR BANDA ANCHA S.A. (Chile)|
|222||AS5617||TPNET Polish Telecom|
|211||AS17676||Softbank BB Corp (Japan)|
Many of our friends from the SpamByASN blog entry (which was based on total rejections) show up here again. This helpfully shows how many of our overall rejections are bad sources of zombies and other compromised machines.
Unfortunately the US comes off rather badly in this picture. If I merged ASNs belonging to the same organization, Comcast would be in second place (and not by much) and AT&T WorldNet in third. Please wake up, US cable companies; your zombie spam problem is only going to get worse.
The regular weekly stats
Kernel level filtering:
Host/Mask Packets Bytes 22.214.171.124/13 5628 270K 126.96.36.199 5613 269K 188.8.131.52 4077 195K 184.108.40.206/11 3671 180K 220.127.116.11/12 3202 159K 18.104.22.168 3116 146K 22.214.171.124 3042 183K 126.96.36.199/13 2701 130K 188.8.131.52/10 2569 129K 184.108.40.206/24 2486 128K
220.127.116.11 spent a good chunk of the week heading this list, only to be passed by a China Telecom aggregate at the last minute. Apparently the machine (powerweb2.powerantilles.com, in list.dsbl.org and dnsbl.njabl.org) really got abused this week; a Google search suggests it is some sort of SMTP or web open relay and has been for rather too long. (It's appeared here already, back in SpamSummary-2005-07-23.)
22834 total 10856 dynamic IP 6680 bad or no reverse DNS 1496 class bl-cbl 1025 class bl-ordb 737 class bl-dsbl 644 class bl-sbl 422 class bl-spews 215 class bl-sdul 179 class bl-njabl 8 class bl-opm
I believe the relays.ordb.org and list.dsbl.org high scores comes from a few very active sources, particularly 18.104.22.168 (mail.benefitsplusinc.com, with 450 rejections all on its own), 22.214.171.124 (on ALGX in the US), 126.96.36.199 (server.fondebosque.org.pe), 188.8.131.52 (mail.streambase.no), and 184.108.40.206 (mail.grasskeepers.net).
We had 156,000 connections total from at least 31,500 different IP addresses, which is higher than normal and some other numbers suggest heavy traffic at some points. (My SMTP frontend can report the maximum number of simultaneous connections processed at any one time; this week, it hit 18. Usually it's around 10.)
The usual non-scientific survey suggests that we are once again being forged as the origin on a lot of spam mail. Our rejections of unresolvable HELO greetings are at more than twice last week's volume, and people sending us bounces to nonexistent local users are at about five times last week's rate.
(Please don't suggest that we should use SPF to cut down the bounce volume. It doesn't work.)