spam IP addresses

[tallison at tacocat.net]

> tallison at tacocat.net wrote:
>
>> Just for fun I counted up all the IP addresses that sent me spam and did
>> a tally of how many of these IP addresses sent me how many spams
>> # spam    # of IP addresses
>> 1         4617
>> 2         243
>> 3         28
>> 4         6
>> 5         2
>> 8         3
>> 28        1
>> 180       1
>
> I changed the sorting to numeric;-)
>
> This suggests, that most IP addresses are only used once or
> twice. This is in line with my tests which showed, that IP
> addresses are not useful for me (see
> http://piology.org/bogofilter/). From your results we cannot
> see if subnets are useful, for me I could easily do without.
>

First, sorry pi for that empty message I just forwarded to you.  itchy
trigger finger...

Second, this came out of a comment that someone make on a project called
spamikaze where they are trapping the IP addresses that are sending out
spam to spamtrap addresses and using that to feed a local RBL list.
The intention is to migrate to a distributed or shared list of IP addresses.

The assumption is that eventually you will identify a majority of the spam
sending machines (these are the ones that connect to your box) and block
them from service.  If you figure 4 million comprimised Windows machines
on the internet, then you are looking at 4 million records in your access
table.

I was just playing with how effective this might prove to be at the SMTP
interface level rather than the procmail/user level.  It appears to hit
~10% of my spam.  This does not include the virus emails which should have
also identifiable.  This would work out to about 400 emails.  Considering
that I burn 30 seconds each on virus/spam scanning this works out to 3 1/3
hours overall time.