Edwin Kruse
2005-03-29 22:49:13 UTC
All,
Here are some excerpts from a great response I got from the Manager in
Herdon, VA responsible for the spam filters in the five regions. I hope
you find the information interesting and it gives you the "heart" to
keep up the battle.
I have personally forwarded 3,450 complaints to
***@security.rr.com since 12/01/04. I find that my email address
got sold to a porno list(s). All the emails are about the same and
pour in every day, or I can only assume that a virus is behind these. I
am happy to report that the online medication emails with the woman
standing on the left in green hospital scrubs have trailed off.
Some of the info:
If it's believed to be a dynamic IP address, we block the /24
- If we can't tell if it's dynamic, we check its public
reputation against other sources, using an objective measure.
If it fails to meet our defined criteria, we block the IP
address.
We are currently blocking, on our own:
105,000+ /24 networks
95,000+ individual IP addresses
We also use the Spamhaus SBL and MAPS RBL-Plus lists to augment
our own lists. We also refuse (or severely limit) email from IP
addresses with no reverse DNS, and we refuse email from the
dynamic spaces of those providers who name their space in such a
way as to make name-based blocks easy. Among these are:
*.res.rr.com
*.ipt.aol.com
*.dynamic.covad.net
*.sprintbbd.net
*.dyn.sprint-hsd.net
*.dialsprint.net
*.abo.wanadoo.fr
*.adsl-dhcp.tele.dk
*.adsl.anteldata.net.uy
*.adsl.bo.tiscali.no
*.adsl.datanet.hu
*.adsl.enternet.hu
*.adsl.hansenet.de
*.adsl.highway.telekom.at
*.adsl.fx.apol.com.tw
*.adsl.pl.apol.com.tw
*.adsl.proxad.net
*.adsl.skynet.be
*.adsl.terra.cl
*.adsl.tpnet.pl
*.adsl.wanadoo.nl
*.adsl.xs4all.nl
*.adsl.zonnet.nl
*.ap.plata.or.jp
*.bb.netvision.net.il
*.cable.ntl.com
*.cable.wanadoo.nl
*.cm-upc.chello.se
*.cm.apol.com.tw
*.cm.chello.no
*.cm.vtr.net
*.cust-adsl.tiscali.it
*.cust.bredband.se
*.customer.tele.dk
*.customer.tdatabrasil.net.br
*.customer.telesp.net.br
*.cvx.algx.net
*.dial.brasiltelecom.net.br
*.dialup.gvt.net.br
*.dsl.brasiltelecom.net.br
*.dsl.telesp.net.br
*.dial-up.telesp.net.br
*.dial.cust.tie.cl
*.dial.inet.fi
*.dial.terra.cl
*.dialup.clear.net.nz
*.dialup.optusnet.com.au
*.dip.t-dialin.net
*.e.brasiltelecom.net.br
*.ipt.aol.com
*.isp.tfn.net.tw
*.mc.videotron.ca
*.papalegua.com.br
*.pool.mediaways.net
*.ppp.infoweb.ne.jp
*.ppp.tiscali.fr
*.sdi.tpnet.pl
*.speedy.net.pe
*.t-net.net.ve
*.upc-a.chello.nl
*.upc-b.chello.nl
*.upc-c.chello.nl
*.upc-d.chello.nl
*.upc-e.chello.nl
*.upc-f.chello.nl
*.user.auna.net
*.user.ono.com
*.user.veloxzone.com.br
*.vie.surfer.at
*.xdsl-dinamico.ctbcnetsuper.com.br
*.xdsl.tiscali.nl
The metrics we collect indicate that combined, our blocks have us
refusing 2 out of every 3 email messages presented to our inbound
gateways. This probably isn't noticeable to customers,
especially since we rolled out inbound gateways capable of
handling a much higher volume of email in October. These
gateways have been handling email volumes going from 50 million a day
to over 200 million a day since October. This means that 67 million
messages a day are being accepted by our inbound gateways, although not
all of them get delivered to customers; those sent to non-existent
mailboxes or whatever get bounced later.
As for how the spamblock mailbox is doing, below some stats. Nmsgs is
the number of messages that were in the ***@security.rr.com
mailbox when it wasprocessed that day, Valid is the number that were
forwarded by a Road Runner email address and had headers (although Valid
doesn't mean blocked, necessarily; 10 complaints against the same IP
address would be 10 valid complaints, but would at best result in
only one block), and Forged represents the number of messages
that were from servers whose IP address may have been forged,
and therefore weren't blocked because we could not trust the
header information we had:
20050215: Nmsgs: 1749
20050215- Valid: 1035
20050215- Forged: 24
--
20050216: Nmsgs: 2707
20050216- Valid: 1807
20050216- Forged: 27
--
20050217: Nmsgs: 2308
20050217- Valid: 1600
20050217- Forged: 24
--
20050218: Nmsgs: 2557
20050218- Valid: 1717
20050218- Forged: 25
--
20050222: Nmsgs: 10001
20050222- Valid: 6815
20050222- Forged: 110
--
20050223: Nmsgs: 2402
20050223- Valid: 1675
20050223- Forged: 16
--
20050224: Nmsgs: 6028
20050224- Valid: 1700
20050224- Forged: 18
--
20050225: Nmsgs: 5885
20050225- Valid: 1137
20050225- Forged: 7
--
20050228: Nmsgs: 8721
20050228- Valid: 5125
20050228- Forged: 48
--
20050301: Nmsgs: 3077
20050301- Valid: 1900
20050301- Forged: 25
--
20050303: Nmsgs: 2974
20050303- Valid: 1762
20050303- Forged: 22
--
20050304: Nmsgs: 2673
20050304- Valid: 1741
20050304- Forged: 22
--
20050307: Nmsgs: 7902
20050307- Valid: 4731
20050307- Forged: 68
--
20050308: Nmsgs: 2930
20050308- Valid: 1693
20050308- Forged: 43
--
20050309: Nmsgs: 2861
20050309- Valid: 1702
20050309- Forged: 25
--
20050310: Nmsgs: 3055
20050310- Valid: 1849
20050310- Forged: 43
--
20050311: Nmsgs: 2060
20050311- Valid: 1237
20050311- Forged: 20
--
20050314: Nmsgs: 8325
20050314- Valid: 4934
20050314- Forged: 84
--
20050315: Nmsgs: 2994
20050315- Valid: 1911
20050315- Forged: 31
--
20050316: Nmsgs: 1683
20050316- Valid: 1083
20050316- Forged: 16
--
20050317: Nmsgs: 2070
20050317- Valid: 1321
20050317- Forged: 18
Next, here are blocks per day that we've added in the past two
months; "network.in" numbers are the count of /24s added to the
block list, while "single.in" is the count of the /32s added:
979 network.in.20050118
197 network.in.20050119
219 network.in.20050120
251 network.in.20050121
684 network.in.20050124
230 network.in.20050125
237 network.in.20050126
346 network.in.20050127
246 network.in.20050128
643 network.in.20050131
292 network.in.20050201
224 network.in.20050202
186 network.in.20050203
197 network.in.20050204
648 network.in.20050207
255 network.in.20050208
273 network.in.20050209
239 network.in.20050210
301 network.in.20050211
695 network.in.20050214
139 network.in.20050215
259 network.in.20050216
191 network.in.20050217
249 network.in.20050218
860 network.in.20050222
217 network.in.20050223
249 network.in.20050224
175 network.in.20050225
574 network.in.20050228
179 network.in.20050301
160 network.in.20050302
199 network.in.20050303
206 network.in.20050304
519 network.in.20050307
174 network.in.20050308
195 network.in.20050309
226 network.in.20050310
172 network.in.20050311
533 network.in.20050314
182 network.in.20050315
96 network.in.20050316
129 network.in.20050317
13225 total
2749 single.in.20050118
771 single.in.20050119
976 single.in.20050120
985 single.in.20050121
1870 single.in.20050124
879 single.in.20050125
902 single.in.20050126
1199 single.in.20050127
935 single.in.20050128
2181 single.in.20050131
1292 single.in.20050201
1081 single.in.20050202
1059 single.in.20050203
1073 single.in.20050204
3146 single.in.20050207
731 single.in.20050208
1228 single.in.20050209
1154 single.in.20050210
1383 single.in.20050211
2588 single.in.20050214
518 single.in.20050215
569 single.in.20050216
817 single.in.20050217
811 single.in.20050218
2686 single.in.20050222
867 single.in.20050223
763 single.in.20050224
505 single.in.20050225
2040 single.in.20050228
990 single.in.20050301
531 single.in.20050302
968 single.in.20050303
991 single.in.20050304
2370 single.in.20050307
1026 single.in.20050308
963 single.in.20050309
1014 single.in.20050310
725 single.in.20050311
2402 single.in.20050314
1043 single.in.20050315
634 single.in.20050316
770 single.in.20050317
52185 total
One other thing we've done is to stop 'aging out' blocks. Used
to be that if a network or IP address was blocked for six months,
it was automatically unblocked on the first of the month after
the six month anniversary had passed. We stopped doing that in
January, 2005, mostly because I noticed that we were aging out
about 20,000 blocks each month. I figured we may as well just
keep them in until someone asks to remove them; few do.
As I look at things, it does seem that the san.rr.com domain is usually
at or near thetop of the daily spam complaints.
So, I hope we keep up the battle. For now, I feel this is something that
I can do to help all of us.
Edwin Kruse
Network Services Manager
TWC San Diego
Here are some excerpts from a great response I got from the Manager in
Herdon, VA responsible for the spam filters in the five regions. I hope
you find the information interesting and it gives you the "heart" to
keep up the battle.
I have personally forwarded 3,450 complaints to
***@security.rr.com since 12/01/04. I find that my email address
got sold to a porno list(s). All the emails are about the same and
pour in every day, or I can only assume that a virus is behind these. I
am happy to report that the online medication emails with the woman
standing on the left in green hospital scrubs have trailed off.
Some of the info:
If it's believed to be a dynamic IP address, we block the /24
- If we can't tell if it's dynamic, we check its public
reputation against other sources, using an objective measure.
If it fails to meet our defined criteria, we block the IP
address.
We are currently blocking, on our own:
105,000+ /24 networks
95,000+ individual IP addresses
We also use the Spamhaus SBL and MAPS RBL-Plus lists to augment
our own lists. We also refuse (or severely limit) email from IP
addresses with no reverse DNS, and we refuse email from the
dynamic spaces of those providers who name their space in such a
way as to make name-based blocks easy. Among these are:
*.res.rr.com
*.ipt.aol.com
*.dynamic.covad.net
*.sprintbbd.net
*.dyn.sprint-hsd.net
*.dialsprint.net
*.abo.wanadoo.fr
*.adsl-dhcp.tele.dk
*.adsl.anteldata.net.uy
*.adsl.bo.tiscali.no
*.adsl.datanet.hu
*.adsl.enternet.hu
*.adsl.hansenet.de
*.adsl.highway.telekom.at
*.adsl.fx.apol.com.tw
*.adsl.pl.apol.com.tw
*.adsl.proxad.net
*.adsl.skynet.be
*.adsl.terra.cl
*.adsl.tpnet.pl
*.adsl.wanadoo.nl
*.adsl.xs4all.nl
*.adsl.zonnet.nl
*.ap.plata.or.jp
*.bb.netvision.net.il
*.cable.ntl.com
*.cable.wanadoo.nl
*.cm-upc.chello.se
*.cm.apol.com.tw
*.cm.chello.no
*.cm.vtr.net
*.cust-adsl.tiscali.it
*.cust.bredband.se
*.customer.tele.dk
*.customer.tdatabrasil.net.br
*.customer.telesp.net.br
*.cvx.algx.net
*.dial.brasiltelecom.net.br
*.dialup.gvt.net.br
*.dsl.brasiltelecom.net.br
*.dsl.telesp.net.br
*.dial-up.telesp.net.br
*.dial.cust.tie.cl
*.dial.inet.fi
*.dial.terra.cl
*.dialup.clear.net.nz
*.dialup.optusnet.com.au
*.dip.t-dialin.net
*.e.brasiltelecom.net.br
*.ipt.aol.com
*.isp.tfn.net.tw
*.mc.videotron.ca
*.papalegua.com.br
*.pool.mediaways.net
*.ppp.infoweb.ne.jp
*.ppp.tiscali.fr
*.sdi.tpnet.pl
*.speedy.net.pe
*.t-net.net.ve
*.upc-a.chello.nl
*.upc-b.chello.nl
*.upc-c.chello.nl
*.upc-d.chello.nl
*.upc-e.chello.nl
*.upc-f.chello.nl
*.user.auna.net
*.user.ono.com
*.user.veloxzone.com.br
*.vie.surfer.at
*.xdsl-dinamico.ctbcnetsuper.com.br
*.xdsl.tiscali.nl
The metrics we collect indicate that combined, our blocks have us
refusing 2 out of every 3 email messages presented to our inbound
gateways. This probably isn't noticeable to customers,
especially since we rolled out inbound gateways capable of
handling a much higher volume of email in October. These
gateways have been handling email volumes going from 50 million a day
to over 200 million a day since October. This means that 67 million
messages a day are being accepted by our inbound gateways, although not
all of them get delivered to customers; those sent to non-existent
mailboxes or whatever get bounced later.
As for how the spamblock mailbox is doing, below some stats. Nmsgs is
the number of messages that were in the ***@security.rr.com
mailbox when it wasprocessed that day, Valid is the number that were
forwarded by a Road Runner email address and had headers (although Valid
doesn't mean blocked, necessarily; 10 complaints against the same IP
address would be 10 valid complaints, but would at best result in
only one block), and Forged represents the number of messages
that were from servers whose IP address may have been forged,
and therefore weren't blocked because we could not trust the
header information we had:
20050215: Nmsgs: 1749
20050215- Valid: 1035
20050215- Forged: 24
--
20050216: Nmsgs: 2707
20050216- Valid: 1807
20050216- Forged: 27
--
20050217: Nmsgs: 2308
20050217- Valid: 1600
20050217- Forged: 24
--
20050218: Nmsgs: 2557
20050218- Valid: 1717
20050218- Forged: 25
--
20050222: Nmsgs: 10001
20050222- Valid: 6815
20050222- Forged: 110
--
20050223: Nmsgs: 2402
20050223- Valid: 1675
20050223- Forged: 16
--
20050224: Nmsgs: 6028
20050224- Valid: 1700
20050224- Forged: 18
--
20050225: Nmsgs: 5885
20050225- Valid: 1137
20050225- Forged: 7
--
20050228: Nmsgs: 8721
20050228- Valid: 5125
20050228- Forged: 48
--
20050301: Nmsgs: 3077
20050301- Valid: 1900
20050301- Forged: 25
--
20050303: Nmsgs: 2974
20050303- Valid: 1762
20050303- Forged: 22
--
20050304: Nmsgs: 2673
20050304- Valid: 1741
20050304- Forged: 22
--
20050307: Nmsgs: 7902
20050307- Valid: 4731
20050307- Forged: 68
--
20050308: Nmsgs: 2930
20050308- Valid: 1693
20050308- Forged: 43
--
20050309: Nmsgs: 2861
20050309- Valid: 1702
20050309- Forged: 25
--
20050310: Nmsgs: 3055
20050310- Valid: 1849
20050310- Forged: 43
--
20050311: Nmsgs: 2060
20050311- Valid: 1237
20050311- Forged: 20
--
20050314: Nmsgs: 8325
20050314- Valid: 4934
20050314- Forged: 84
--
20050315: Nmsgs: 2994
20050315- Valid: 1911
20050315- Forged: 31
--
20050316: Nmsgs: 1683
20050316- Valid: 1083
20050316- Forged: 16
--
20050317: Nmsgs: 2070
20050317- Valid: 1321
20050317- Forged: 18
Next, here are blocks per day that we've added in the past two
months; "network.in" numbers are the count of /24s added to the
block list, while "single.in" is the count of the /32s added:
979 network.in.20050118
197 network.in.20050119
219 network.in.20050120
251 network.in.20050121
684 network.in.20050124
230 network.in.20050125
237 network.in.20050126
346 network.in.20050127
246 network.in.20050128
643 network.in.20050131
292 network.in.20050201
224 network.in.20050202
186 network.in.20050203
197 network.in.20050204
648 network.in.20050207
255 network.in.20050208
273 network.in.20050209
239 network.in.20050210
301 network.in.20050211
695 network.in.20050214
139 network.in.20050215
259 network.in.20050216
191 network.in.20050217
249 network.in.20050218
860 network.in.20050222
217 network.in.20050223
249 network.in.20050224
175 network.in.20050225
574 network.in.20050228
179 network.in.20050301
160 network.in.20050302
199 network.in.20050303
206 network.in.20050304
519 network.in.20050307
174 network.in.20050308
195 network.in.20050309
226 network.in.20050310
172 network.in.20050311
533 network.in.20050314
182 network.in.20050315
96 network.in.20050316
129 network.in.20050317
13225 total
2749 single.in.20050118
771 single.in.20050119
976 single.in.20050120
985 single.in.20050121
1870 single.in.20050124
879 single.in.20050125
902 single.in.20050126
1199 single.in.20050127
935 single.in.20050128
2181 single.in.20050131
1292 single.in.20050201
1081 single.in.20050202
1059 single.in.20050203
1073 single.in.20050204
3146 single.in.20050207
731 single.in.20050208
1228 single.in.20050209
1154 single.in.20050210
1383 single.in.20050211
2588 single.in.20050214
518 single.in.20050215
569 single.in.20050216
817 single.in.20050217
811 single.in.20050218
2686 single.in.20050222
867 single.in.20050223
763 single.in.20050224
505 single.in.20050225
2040 single.in.20050228
990 single.in.20050301
531 single.in.20050302
968 single.in.20050303
991 single.in.20050304
2370 single.in.20050307
1026 single.in.20050308
963 single.in.20050309
1014 single.in.20050310
725 single.in.20050311
2402 single.in.20050314
1043 single.in.20050315
634 single.in.20050316
770 single.in.20050317
52185 total
One other thing we've done is to stop 'aging out' blocks. Used
to be that if a network or IP address was blocked for six months,
it was automatically unblocked on the first of the month after
the six month anniversary had passed. We stopped doing that in
January, 2005, mostly because I noticed that we were aging out
about 20,000 blocks each month. I figured we may as well just
keep them in until someone asks to remove them; few do.
As I look at things, it does seem that the san.rr.com domain is usually
at or near thetop of the daily spam complaints.
So, I hope we keep up the battle. For now, I feel this is something that
I can do to help all of us.
Edwin Kruse
Network Services Manager
TWC San Diego