<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Spam/Relay sources

>From owner-anti-spam-wg@localhost  Wed Apr 24 23:12:36 2002
>Message-Id: <4.2.0.58.20020424155047.00a11940@localhost>
>Date: Wed, 24 Apr 2002 15:57:06 +0100
>To: RIPE anti-spam anti-spam-wg@localhost
>From: Rodney Tillotson <Rodney.Tillotson@localhost
>Subject: Draft WG agenda for RIPE 42

> ...
>     B2   Developments in UBE
>               Statistics on sources of UBE
>               Korea
>               China
> ...

I've made a little experiment. Since Mar 22 2002 I've collected all
mail that I consider spam and that is sent to me as myself or via
local aliases (<Postmaster>, <abuse>, <hostmaster> etc) but not via
various mailing lists. For each of them I've analyzed the set of
"Received;" lines, keeping the one where the mail entered here, i.e.
the first contact with any of our MX hosts. So, I do not make any
difference between a spam originator and a spam Relay.

All in all it's c:a 400 pieces of spam from c:a 350 hosts.

I've then analyzed the data, sorting originator/relay addresses into
/8, /16, /24 & /32. The /8 that gave me 10 or more pieces of spam is
on display below. What you see is what you expect and is what seems
to be on the WG agenda:

    211.0.0.0               111      APNIC
    61.0.0.0                 38      APNIC
    210.0.0.0                30      APNIC
    200.0.0.0                23      ARIN
    203.0.0.0                15      APNIC
    66.0.0.0                 14      ARIN
    218.0.0.0                14      APNIC
    209.0.0.0                12      ARIN
    65.0.0.0                 11      ARIN
    64.0.0.0                 10      ARIN
    213.0.0.0                10      RIPE
    202.0.0.0                10      APNIC
    194.0.0.0                10      RIPE

What is slightly more surprising, at least to me, however, is what we
find if look into the top of the first /8:

    211.0.0.0               111
    211.49.0.0                7
    211.202.0.0               7
    211.208.0.0               5
    211.218.0.0               5

    61.0.0.0                 38
    61.32.0.0                 5
    61.32.165.0               5
    61.32.165.40              5        (5 msg from this host)

    210.0.0.0                30
    210.123.0.0               2
    210.179.0.0               2
    210.219.0.0               2
    210.221.0.0               2

    200.0.0.0                23
    200.45.0.0                4
    200.45.0.3                2        (2 msg from this host)
    200.45.76.0               2
    200.45.76.110             2        (2 msg from this host)

My intrepretation is that there is quite an "even distribution" on
the hosts that originate or relay spam, although a large majority of
them seems to be within those 211/8, 61/8 & 210/8 networks. Whether
that is because people on those networks have less strict Mail Relay
authorization or everybody there that has a computer is a spammer is
beyond my understanding.

I hope the WG can come up with suggestions - it's getting worse...

	Gunnar Lindberg
<<< Chronological >>> Author    Subject <<< Threads >>>