spam IP addresses
tallison at tacocat.net
tallison at tacocat.net
Mon May 24 17:52:13 CEST 2004
> tallison at tacocat.net wrote:
>
>> Just for fun I counted up all the IP addresses that sent me spam and did
>> a tally of how many of these IP addresses sent me how many spams
>> # spam # of IP addresses
>> 1 4617
>> 2 243
>> 3 28
>> 4 6
>> 5 2
>> 8 3
>> 28 1
>> 180 1
>
> I changed the sorting to numeric;-)
>
> This suggests, that most IP addresses are only used once or
> twice. This is in line with my tests which showed, that IP
> addresses are not useful for me (see
> http://piology.org/bogofilter/). From your results we cannot
> see if subnets are useful, for me I could easily do without.
>
First, sorry pi for that empty message I just forwarded to you. itchy
trigger finger...
Second, this came out of a comment that someone make on a project called
spamikaze where they are trapping the IP addresses that are sending out
spam to spamtrap addresses and using that to feed a local RBL list.
The intention is to migrate to a distributed or shared list of IP addresses.
The assumption is that eventually you will identify a majority of the spam
sending machines (these are the ones that connect to your box) and block
them from service. If you figure 4 million comprimised Windows machines
on the internet, then you are looking at 4 million records in your access
table.
I was just playing with how effective this might prove to be at the SMTP
interface level rather than the procmail/user level. It appears to hit
~10% of my spam. This does not include the virus emails which should have
also identifiable. This would work out to about 400 emails. Considering
that I burn 30 seconds each on virus/spam scanning this works out to 3 1/3
hours overall time.
More information about the Bogofilter
mailing list