Re: How much abuse comes from dynamic IPs? Numbers.

On Thu, 27 Apr 2006 10:42:37 -0700
Carl Byington opined:
>
> On Fri, 28 Nov 2003 04:03:15 +0000, Jem Berkes wrote:
>
> > I have exchanged notes with a few admins who have decided to block
> mail
> > from all dynamic IPs.
>
> [snip]
>
> > All duplicate IPs were removed;
> > this is a list of unique IP addresses hitting my trap, guaranteed
> spam.
> >
> > Total unique IP addresses: 1138
> > dul.dnsbl.sorbs.net said 127.0.0.10 (dynamic) for: 205
> > dnsbl.njabl.org said 127.0.0.3 (dynamic) for: 19
> > dynablock.easynet.nl said 127.0.0.2 (dynamic) for: 197
> >
> > Combining positive dynamic IP matches from 3 lists, removing
> duplicates
> > Union = 207
> >
> > ---------
> > Summary:
> > ---------
> > Spam/viruses received from 1138 IPs
> > IPs that were dynamic: 207
> > 18.2% of the abuse hitting my mail server comes from dynamic IPs
> > 81.8% of the abuse hitting my mail server comes from static IPs
>
> You are counting the wrong thing, if you are asking for an answer to
> "how much abuse...". You are counting ip addresses, not spam
> samples. Try again.
>
FWIW, about 40% of all US spam comes from exploited machines in
dynamic space. This does NOT include spam from machines without rDNS
which may, or may not, be in dynamic/residential ranges.

The other issue is s/n. The potential for false positives blocking
dynamic IPs is almost zero. The potential for identifying static IPs
as dynamic is >0 because of generic rDNS.

--
Displayed Email Address is a SPAM TRAP
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
The Dirty Dozen Spammiest Ranges: http://tqmcube.com/dirty12.php