As a followup to my SBL rejection stats, here are similar numbers for the XBL (which includes the CBL as well as some other sources). Like those stats, this is based on connection time rejections over the the past 28 days and change.

The basic stats are reasonably striking: over that time period, we rejected 34,000 different IP addresses. 13,500 of them (over half) are in the XBL now. (They may or may not have been at the time of their rejection.)

Recast by the number of rejections, we have 110,000 total, of which 43,800 are from XBL-listed IP addresses.

A more interesting breakdown is by the number of IPs in a given ASN; this says more or less what places are the largest problem source for XBL listings.

# of different IPs	ASN	(owner)
833	AS4766	Korea Telecom
557	AS9318	Hanaro Telecom (Korea)
462	AS6478	AT&T WorldNet
413	AS22909	Comcast Cable
407	AS33287	Comcast Cable
315	AS4837	CNCGROUP China169 Backbone
266	AS7018	AT&T WorldNet
266	AS6830	UPC Distribution Services (Europe)
264	AS12322	Proxad ISP (France)
242	AS4134	CHINANET-BACKBONE
223	AS22047	VTR BANDA ANCHA S.A. (Chile)
222	AS5617	TPNET Polish Telecom
212	AS19262	Verizon
211	AS17676	Softbank BB Corp (Japan)
206	AS20115	Charter Communications

Many of our friends from the SpamByASN blog entry (which was based on total rejections) show up here again. This helpfully shows how many of our overall rejections are bad sources of zombies and other compromised machines.

Unfortunately the US comes off rather badly in this picture. If I merged ASNs belonging to the same organization, Comcast would be in second place (and not by much) and AT&T WorldNet in third. Please wake up, US cable companies; your zombie spam problem is only going to get worse.

The regular weekly stats

Kernel level filtering:

Host/Mask           Packets   Bytes
219.144.0.0/13         5628    270K
194.250.136.10         5613    269K
67.154.50.146          4077    195K
220.160.0.0/11         3671    180K
219.128.0.0/12         3202    159K
209.45.41.98           3116    146K
85.92.129.231          3042    183K
221.216.0.0/13         2701    130K
61.128.0.0/10          2569    129K
212.216.176.0/24       2486    128K

194.250.136.10 spent a good chunk of the week heading this list, only to be passed by a China Telecom aggregate at the last minute. Apparently the machine (powerweb2.powerantilles.com, in list.dsbl.org and dnsbl.njabl.org) really got abused this week; a Google search suggests it is some sort of SMTP or web open relay and has been for rather too long. (It's appeared here already, back in SpamSummary-2005-07-23.)

Connection-time rejections:

  22834 total
  10856 dynamic IP
   6680 bad or no reverse DNS
   1496 class bl-cbl
   1025 class bl-ordb
    737 class bl-dsbl
    644 class bl-sbl
    422 class bl-spews
    215 class bl-sdul
    179 class bl-njabl
      8 class bl-opm

I believe the relays.ordb.org and list.dsbl.org high scores comes from a few very active sources, particularly 216.215.149.146 (mail.benefitsplusinc.com, with 450 rejections all on its own), 67.154.50.146 (on ALGX in the US), 209.45.41.98 (server.fondebosque.org.pe), 217.144.239.115 (mail.streambase.no), and 64.7.8.202 (mail.grasskeepers.net).

We had 156,000 connections total from at least 31,500 different IP addresses, which is higher than normal and some other numbers suggest heavy traffic at some points. (My SMTP frontend can report the maximum number of simultaneous connections processed at any one time; this week, it hit 18. Usually it's around 10.)

The usual non-scientific survey suggests that we are once again being forged as the origin on a lot of spam mail. Our rejections of unresolvable HELO greetings are at more than twice last week's volume, and people sending us bounces to nonexistent local users are at about five times last week's rate.

(Please don't suggest that we should use SPF to cut down the bounce volume. It doesn't work.)