== [[XBL|http://www.spamhaus.org/xbl/]] rejection stats, August 6th 2005 As a followup to my [[SBL rejection stats|SBLProblemSources]], here are similar numbers for the [[XBL]] (which includes the CBL as well as some other sources). Like those stats, this is based on connection time rejections over the the past 28 days and change. The basic stats are reasonably striking: over that time period, we rejected 34,000 different IP addresses. 13,500 of them (over half) are in the [[XBL]] now. (They may or may not have been at the time of their rejection.) Recast by the number of rejections, we have 110,000 total, of which 43,800 are from [[XBL]]-listed IP addresses. A more interesting breakdown is by the number of IPs in a given ASN; this says more or less what places are the largest problem source for [[XBL]] listings. | # of different IPs | ASN | (owner) | 833 | [[AS4766|http://bgp.potaroo.net/cgi-bin/as-report?as=AS4766]] | Korea Telecom | 557 | [[AS9318|http://bgp.potaroo.net/cgi-bin/as-report?as=AS9318]] | Hanaro Telecom (Korea) | 462 | [[AS6478|http://bgp.potaroo.net/cgi-bin/as-report?as=AS6478]] | AT&T WorldNet | 413 | [[AS22909|http://bgp.potaroo.net/cgi-bin/as-report?as=AS22909]] | Comcast Cable | 407 | [[AS33287|http://bgp.potaroo.net/cgi-bin/as-report?as=AS33287]] | Comcast Cable | 315 | [[AS4837|http://bgp.potaroo.net/cgi-bin/as-report?as=AS4837]] | CNCGROUP China169 Backbone | 266 | [[AS7018|http://bgp.potaroo.net/cgi-bin/as-report?as=AS7018]] | AT&T WorldNet | 266 | [[AS6830|http://bgp.potaroo.net/cgi-bin/as-report?as=AS6830]] | UPC Distribution Services (Europe) | 264 | [[AS12322|http://bgp.potaroo.net/cgi-bin/as-report?as=AS12322]] | Proxad ISP (France) | 242 | [[AS4134|http://bgp.potaroo.net/cgi-bin/as-report?as=AS4134]] | CHINANET-BACKBONE | 223 | [[AS22047|http://bgp.potaroo.net/cgi-bin/as-report?as=AS22047]] | VTR BANDA ANCHA S.A. (Chile) | 222 | [[AS5617|http://bgp.potaroo.net/cgi-bin/as-report?as=AS5617]] | TPNET Polish Telecom | 212 | [[AS19262|http://bgp.potaroo.net/cgi-bin/as-report?as=AS19262]] | Verizon | 211 | [[AS17676|http://bgp.potaroo.net/cgi-bin/as-report?as=AS17676]] | Softbank BB Corp (Japan) | 206 | [[AS20115|http://bgp.potaroo.net/cgi-bin/as-report?as=AS20115]] | Charter Communications Many of our friends from the SpamByASN blog entry (which was based on total rejections) show up here again. This helpfully shows how many of our overall rejections are bad sources of zombies and other compromised machines. Unfortunately the US comes off rather badly in this picture. If I merged ASNs belonging to the same organization, Comcast would be in second place (and not by much) and AT&T WorldNet in third. Please wake up, US cable companies; your zombie spam problem is only going to get worse. === The regular weekly stats Kernel level filtering: Host/Mask Packets Bytes 219.144.0.0/13 5628 270K 194.250.136.10 5613 269K 67.154.50.146 4077 195K 220.160.0.0/11 3671 180K 219.128.0.0/12 3202 159K 209.45.41.98 3116 146K 85.92.129.231 3042 183K 221.216.0.0/13 2701 130K 61.128.0.0/10 2569 129K 212.216.176.0/24 2486 128K 194.250.136.10 spent a good chunk of the week heading this list, only to be passed by a China Telecom aggregate at the last minute. Apparently the machine (powerweb2.powerantilles.com, in list.dsbl.org and dnsbl.njabl.org) really got abused this week; a Google search suggests it is some sort of SMTP or web open relay and has been for rather too long. (It's appeared here already, back in [[SpamSummary-2005-07-23]].) Connection-time rejections: 22834 total 10856 dynamic IP 6680 bad or no reverse DNS 1496 class bl-cbl 1025 class bl-ordb 737 class bl-dsbl 644 class bl-sbl 422 class bl-spews 215 class bl-sdul 179 class bl-njabl 8 class bl-opm I believe the relays.ordb.org and list.dsbl.org high scores comes from a few very active sources, particularly 216.215.149.146 (mail.benefitsplusinc.com, with 450 rejections all on its own), 67.154.50.146 (on ALGX in the US), 209.45.41.98 (server.fondebosque.org.pe), 217.144.239.115 (mail.streambase.no), and 64.7.8.202 (mail.grasskeepers.net). We had 156,000 connections total from at least 31,500 different IP addresses, which is higher than normal and some other numbers suggest heavy traffic at some points. (My SMTP frontend can report the maximum number of simultaneous connections processed at any one time; this week, it hit 18. Usually it's around 10.) The usual non-scientific survey suggests that we are once again being forged as the origin on a lot of spam mail. Our rejections of unresolvable HELO greetings are at more than twice last week's volume, and people sending us bounces to nonexistent local users are at about five times last week's rate. (Please don't suggest that we should use SPF to cut down the bounce volume. It doesn't work.)