XBL rejection stats, August 6th 2005

August 7, 2005

As a followup to my SBL rejection stats, here are similar numbers for the XBL (which includes the CBL as well as some other sources). Like those stats, this is based on connection time rejections over the the past 28 days and change.

The basic stats are reasonably striking: over that time period, we rejected 34,000 different IP addresses. 13,500 of them (over half) are in the XBL now. (They may or may not have been at the time of their rejection.)

Recast by the number of rejections, we have 110,000 total, of which 43,800 are from XBL-listed IP addresses.

A more interesting breakdown is by the number of IPs in a given ASN; this says more or less what places are the largest problem source for XBL listings.

# of different IPs ASN (owner)
833 AS4766 Korea Telecom
557 AS9318 Hanaro Telecom (Korea)
462 AS6478 AT&T WorldNet
413 AS22909 Comcast Cable
407 AS33287 Comcast Cable
315 AS4837 CNCGROUP China169 Backbone
266 AS7018 AT&T WorldNet
266 AS6830 UPC Distribution Services (Europe)
264 AS12322 Proxad ISP (France)
223 AS22047 VTR BANDA ANCHA S.A. (Chile)
222 AS5617 TPNET Polish Telecom
212 AS19262 Verizon
211 AS17676 Softbank BB Corp (Japan)
206 AS20115 Charter Communications

Many of our friends from the SpamByASN blog entry (which was based on total rejections) show up here again. This helpfully shows how many of our overall rejections are bad sources of zombies and other compromised machines.

Unfortunately the US comes off rather badly in this picture. If I merged ASNs belonging to the same organization, Comcast would be in second place (and not by much) and AT&T WorldNet in third. Please wake up, US cable companies; your zombie spam problem is only going to get worse.

The regular weekly stats

Kernel level filtering:

Host/Mask           Packets   Bytes         5628    270K         5613    269K          4077    195K         3671    180K         3202    159K           3116    146K          3042    183K         2701    130K          2569    129K       2486    128K spent a good chunk of the week heading this list, only to be passed by a China Telecom aggregate at the last minute. Apparently the machine (powerweb2.powerantilles.com, in list.dsbl.org and dnsbl.njabl.org) really got abused this week; a Google search suggests it is some sort of SMTP or web open relay and has been for rather too long. (It's appeared here already, back in SpamSummary-2005-07-23.)

Connection-time rejections:

  22834 total
  10856 dynamic IP
   6680 bad or no reverse DNS
   1496 class bl-cbl
   1025 class bl-ordb
    737 class bl-dsbl
    644 class bl-sbl
    422 class bl-spews
    215 class bl-sdul
    179 class bl-njabl
      8 class bl-opm

I believe the relays.ordb.org and list.dsbl.org high scores comes from a few very active sources, particularly (mail.benefitsplusinc.com, with 450 rejections all on its own), (on ALGX in the US), (server.fondebosque.org.pe), (mail.streambase.no), and (mail.grasskeepers.net).

We had 156,000 connections total from at least 31,500 different IP addresses, which is higher than normal and some other numbers suggest heavy traffic at some points. (My SMTP frontend can report the maximum number of simultaneous connections processed at any one time; this week, it hit 18. Usually it's around 10.)

The usual non-scientific survey suggests that we are once again being forged as the origin on a lot of spam mail. Our rejections of unresolvable HELO greetings are at more than twice last week's volume, and people sending us bounces to nonexistent local users are at about five times last week's rate.

(Please don't suggest that we should use SPF to cut down the bounce volume. It doesn't work.)

Written on 07 August 2005.
« The importance of 'transparency' in data structures
Security is a pain »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Aug 7 03:09:06 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.