Daniel Feenberg wrote:
On Mon, 26 Apr 2004, Chris Lewis wrote:
John Levine wrote:
80% of spam detected by this method (it's catching approximately 65-70%
of all of our spam) is coming from detections less than 4 days old. 90%
< 6 days old. 95% < 12 days old.
Can you tell us the number of hosts in each category? And how long hosts
remain infected? That would give us an idea of the gross flows into and
out of infected status.
Here's a table:
Age (days) IP Count/cum% Hit Count/cum%
0 67974/ 5.0 174862/25.4
1 65816/ 9.8 184589/52.1
2 54233/13.8 118338/69.3
3 48207/17.4 50991/76.7
4 38517/20.2 45567/83.3
5 42021/23.3 42143/89.4
6 55652/27.4 26002/93.2
7 57634/31.6 3889/93.7
8 50108/35.3 2445/94.1
9 45304/38.6 1551/94.3
10 54740/42.6 3264/94.8
11 60550/47.1 3612/95.3
12 43338/50.3 2883/95.7
13 42773/53.4 7164/96.8
14 47288/56.9 942/96.9
15 44260/60.1 524/97.0
16 48189/63.7 1087/97.1
17 43812/66.9 1147/97.3
18 39178/69.8 864/97.4
19 39474/72.7 611/97.5
20 38916/75.5 1320/97.7
21 40344/78.5 894/97.8
22 37221/81.2 3122/98.3
23 28497/83.3 907/98.4
24 32483/85.7 1000/98.6
25 38186/88.5 4719/99.3
26 42249/91.6 1393/99.5
27 41198/94.7 1816/99.7
28 39267/97.6 1487/99.9
29 33023/100.0 396/100.0
30 261/100.0 0/100.0
Totals 1360713/ 100 689529/ 100
We expire after 30 days.
If spam is proportionate to hosts, then the above figures suggest that 75%
of hosts are corrected within 4-6 days.
It isn't proportionate to hosts.
My reasoning is that only 10x more
hosts are in the 6 day window than in the 4 day window. So if there are
80x infected hosts in 4 days, that is 20x hosts/day. But in 6 days there
are only 90x total infected hosts, or 5x hosts/day for the 2 additional
days rather than the expected (steady state) 20x hosts. That suggests that
15x hosts were cleaned up. This would be clear if we knew the number of
hosts, so that I didn't need the mystery factor x =spams/(hosts*100)
I think you'll find that the rapid dropoff isn't necessarily due to
system cleanups, but rather to spammers using the newest ones possible
to avoid blacklisting.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg