Looking at whether Zen-listed IPs keep trying to send us email
Here's a question: when an IP address listed in the Spamhaus Zen gets rejected, does it come back later or are most visits a one-time thing? This time I pulled 90 days worth of logs, extracted each day's rejections from Zen-listed IPs, and checked to see how many IPs showed up in more than one day's logs.
(Because an IP could be trying to deliver stuff right when the logs roll, the safe question is how many IPs show up in more than two days worth of logs.)
The first answer is that we have some persistent IPs but not anything that is really hammering on us. Well, at least if you look at the data this way. Here, have a table:
|126.96.36.199||20 days||SBL168886 and the PBL|
|188.8.131.52||15 days||web.de; SBL175032|
|184.108.40.206||13 days||web.de and SBL175032 again|
|220.127.116.11||10 days||web.de but now SBL175030, which is basically the same as SBL175032; web.de is clearly good at getting SBL-listed.|
|18.104.22.168||10 days||In the PBL|
|22.214.171.124||9 days||web.de yet again, SBL175030|
|9 days||No longer listed.|
|126.96.36.199||9 days||SBL CSS|
(This table probably doesn't look that nice in the syndication feed.)
Now things get interesting, because I noticed a pattern and went digging. All of the IPs from 188.8.131.52 through 184.108.40.206 got rejected by us at various times in the 90 days, and all of them were rejected on multiple days. Even more interesting, the rejections stretch from day 11 through day 90 (although not continuously).
(The gaps in rejections could be either because they stopped sending to email addresses that were rejecting them, because they dropped out of Zen temporarily, or both of the above.)
This prompted me to look at /24-based reoccurrence, and there things get more interesting:
|220.127.116.11/24||46 days||One IP still in the SBL CSS|
|18.104.22.168/24||45 days||13 of 23 IPs still in the SBL CSS|
|22.214.171.124/24||43 days||Nothing still listed out of the 12 IPs we rejected from this|
|126.96.36.199/24||30 days||web.de, mentioned above; all four IPs still in their SBL listings|
|188.8.131.52/24||27 days||SBL136747, a /24 listing dating from August 14, 2012|
|184.108.40.206/24||26 days||SBL107558; one of the single IPs made it into the single-IP list|
|220.127.116.11/24||25 days||Multiple IPs still in the SBL CSS|
|18.104.22.168/24||22 days||Multiple IPs still in the SBL CSS|
I'm going to stop here because the next '/24' is actually due to a single IP (22.214.171.124) so we're reaching the crossover point (besides, I'm doing this all more or less by hand).
What really surprises me from looking at the by-/24 breakdown is how active the SBL CSS clearly is. If someone told me that the SBL CSS was now the largest single contributor for spam rejections, I wouldn't be surprised.
(I can't verify that without changing our mail configuration to add more logging (since SBL CSS listings expire, we'd have to capture the Zen results at the time of the actual rejection). Sadly my curiosity is not worth that.)
(This is kind of a followup to looking to see if IP addresses persist in Zen.)
Sidebar: a way in which these results may not be representative
We do Zen-based rejections only for some email addresses (only those that have opted in to it). So a Zen-listed sending IP wouldn't necessarily see continuous rejections if they kept sending to us. It depends on what email addresses they are sending to that day and they could have a day with no rejections.
I haven't tried to dig into the raw logs to see if this is happening for
some of these IPs, or in general if these IPs saw a mix of successful
deliveries and rejections or if they saw uniform rejections. I don't
know if I'll ever do this level of analysis, since it's going past what
I can easily bash together with shell scripts and
awk. Past the land
of shell scripts lies the land of real work.