ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: 7. BCP - Mail Administrators: Checking HELO (was: [Asrg] 0. General - Administrative - for M. Wild)

2003-09-02 06:44:01
from [Hector Santos] [Permanent Link] 
We have seen about 1,200,000 different IP addresses connecting to us in

the

past six months and we block about 1,000,000 SMTP connections on our MX
servers every week on average.  What other stats would be of interest?


This would also be relevant to the analysis area. We are definitely
interested in all the data we can get.


Here is some statistics I can provide::

In regards to RBL,  I wanted to see how spammers are able to learned from a
growing database of open relays and proxies systems to exploit the idea that
a good percent of these sites do not fix their system immediately.

Our RBL implementationin Wildcat! SMTP mail server uses (or was until this
week) relays.osirusoft.com and make good use of the 127.0.0.X.  response
codes.

Using our April 2003 log, 8062 RBL filters were recorded.

Total blocks: 8062

127.0.0.2      872     Verified Open Relay
127.0.0.3      206     Dialup Spam Source
127.0.0.4     2253    Confirmed Spam Source
127.0.0.5        1        Smart Host (In progress)
127.0.0.6     3336    A Spamware software developer or spamvertized site.
127.0.0.7        0        A list server that automatically opts users in
without confirmation
127.0.0.8        0        An insecure formmail.cgi script. (Planned)
127.0.0.9     1388    Open proxy servers

Next.  I wanted to test what percentage of the Open Relays were still open
so I wrote an open relay tester that was feed a list of IPs.  Using just the
open relay sites, the result was:

Total checked: 807
Bad connects : 446   55.3%
Good Connects: 295   36.6%
Open relays  :  66    8.1%  or (18.3% of GOOD connects)

This was just for the month of April/2003.  The test was performed on  May
10, 2003.   The test took a few hours to complete as it had to connect to
the systems and perform a standard open relay test.  (PS: please don't ask
me where the missing 65 sites (872-807) are.  I probably hit escape because
it was talking so long).

I wanted to fine tune the analysis by adding a time element,  "how long did
it take for the relays to get fixed?"  however,  I didn't want to go any
futher as my main goal in the analsys was to see how useful is the database
to the spammers to quickly find new open relays and proxies as they are
being added.

So just using this one analysis, in one month time, atleast 80% of the
ligitimate systems do fix there systems, however, spammers are left with a
good amount of sites that they can use to spam the world.

I suggest that spammers use the databases with the knowledge that they have
X days where a majority of the sites are still open, declining every day,
however, enough to provide ample sites to do their dirty deeds.

I have the data and the C code if anyone whats to investigate this "time
element."

In regards to a breakdown of SMTP conversations,  for the month of August, I
have breakdown:

August/2003

1 day
2 connects
3 accepts
4 helo/ehlo rejects
5 rbl rejects
6 total rejects
7 unknowns ( (unknown users, etc)
8 pct accepts

1   842 142 0 371 371 255 16.86
2   768 111 0 392 392 217 14.45
3   773 196 0 366 366 199 25.36
4   926 356 0 328 328 218 38.44
5   853 218 0 395 395 226 25.56
6   883 242 0 423 423 211 27.41
7   1044 266 0 412 412 341 25.48
8   824 201 0 425 425 181 24.39
9   679 94 0 411 411 174 13.84
10   719 167 0 327 327 239 23.23
11   691 112 0 317 317 241 16.21
12   2032 1475 4 309 313 232 72.59
13   776 216 0 289 289 208 27.84
14   727 148 0 343 343 208 20.36
15   660 105 0 276 276 251 15.91
16   648 120 0 280 280 231 18.52
17   586 88 0 211 211 246 15.02
18   759 214 0 268 268 251 28.19
19   1341 241 0 269 269 233 17.97
20   944 178 0 298 298 281 18.86
21   1357 339 11 239 250 222 24.98
22   1516 221 275 147 422 275 14.58
23   963 201 141 199 340 259 20.87
24   1169 167 401 151 552 261 14.29
27   1820 246 213 401 614 277 13.52
28   1693 155 265 491 756 332 9.16
29   1273 236 300 386 686 251 18.54
30   412 61 153 86 239 71 14.81

Note: I didn't begin helo/ehlo rejects until the 21th.   Next month will
give me better data. But it looks on average, 15-20% is rejected just on
helo/ehlo.

I am currently working on a stats program for my trace logs.  What I found
out is repeatibility information.

---

Hector Santos
WINSERVER "Wildcat! Interactive Net Server"
support: http://www.winserver.com
sales: http://www.santronics.com



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Asrg] 0. General - Welcome to the ASRG, Yakov Shafranovich
Next by Date:  [Asrg] Re: 6. Proposals - DNS-based - RMX, Hector Santos
Previous by Thread:  Re: 7. BCP - Mail Administrators: Checking HELO (was: [Asrg] 0. General - Administrative - for M. Wild), waltdnes
Next by Thread:  Re: 7. BCP - Mail Administrators: Checking HELO (was: [Asrg] 0. General - Administrative - for M. Wild), Peter J. Holzer
Indexes:  [Date] [Thread] [Top] [All Lists]