Brett Glass [28/12/06 10:10 -0700]:
> Hong Kong's spam-consciousness has improved significantly over the
> six months (perhaps due to publicity; Spamhaus had rated it the
> number one source of spam worldwide). But it's still relatively
> high on the list, and
Nope - china's ever had hong kong beat .. I dont recall any single
not in the last few years at least (e&oe sudden spikes) where hkg topped
china in this matter [at least sbl listings wise], sure I could be wrong
> it is one of the countries from which we've seen spam traffic drop
> the most
> since the outage. We've also seen a big drop in spam from Taiwan
> and Korea.
you'd have seen almost all traffic drop from China, Taiwan and Hong
north asia (Japan, and to a lesser extent Korea) seem to have been
less affected. Right now - regional connectivity seems largely in
but lots of routes missing from there, wrt int'l connectivity.
Korea's not been "on my radar" as heavily as the US / China - and it is
quite close to quite a few other countries of a comparable size [poland,
turkey etc] that have large metro broadband networks and comparatively
poorer security on user PCs.
> While our ISP is small compared to, say, AOL, it is far bigger than
> "friends and family on an ISP line." Even though we compete with
> the phone company,
Brett - I know you. And I loved those sendmail rulesets you wrote. And I
know what lariat.net is. That was  meant to sting a bit and  to
your mail traffic in perspective .. a small local ISP, or even a large
local ISP is not very likely to see the kind of international mail
hotmail, AOL or yahoo [or even a nationwide service like Earthlink] is
going to see. Your entire view of the email world is going to be
- and colored by who your users regularly exchange email with ..
which in a
one horse burg like Lararmie is likely to be almost entirely local, or
within ConUS / Canada.
> What's more, since we get hundreds of thousands of spam attempts
> daily, we have plenty of data from which to generate statistics.
> It's important
Yes - but you need a diverse enough sample of users for that data to
any reasonable relationship with global email trends. Small town
is just not likely to provide that kind of sample.
Several hundred thousand spam attempts .. well, we get that in a minute.
This is something I had my colleagues knock together a few months
when we were being hit with an extra large amount of bot generated
spam traffic [one of those periodic spikes]:
That's 1030591 smtp connections rejected v/s 90341 messages accepted
our servers, in one minute. Again, not a "my mail farm is bigger than
yours" thing - just trying to put things in a bit of perspective.
> for the current list) than any other country. However, we see more
> attempted spams from Asia, Poland, Mexico, Brazil, and Argentina
> than we do from all US sources combined. We also see a difference
Poland - a large broadband provider or two. Mexico and Brazil -
again [and yeah, crackers / skript kiddies too]. There's turkey as
quite a few of these are at or near the top of our radar at times.
Summary - we see individual chinese and korean ISPs contributing
significant percentages of spam (ditto ISPs like Telefonica spain /
TPNet poland, Verizon etc). But when it comes to spam percentages per
country - US : 25.85%, China 17.68%, Korea way lower down at 6.73% while
russia, poland, france, spain, germany, brazil and peru are all in
to 3.8% range ...
> in the types of machines that are sending the spam. Most US sources
> are "zombies" -- machines attached to DSL, FIOS, or cable modem
Most of the chinese and korean smtp connections are zombies too. There's
broadband out there that most US customers would sell their grandmothers
for - available at far cheaper prices. Unfortunately, you can also buy a
knockoff copy of XP for about the cost of a coffee at Starbucks. And
surprise most new PCs come with trojans preinstalled ..
> that we've blocked them. Far more of the offshore sources seem to
> be machines that have been set up specifically to spam. They are
I see those too - and the SBL has most of the chinese spammer hosting
quite well covered, but there's more elsewhere too. And spam volumes
bots has been driving mail traffic way, way up compared to the good old
days when all spammers did was to buy collocated servers and spam
them .. [yup they still do that too, and install massmailer bots on
webhosting servers, spam through those, or abuse insecure cgi/php
But far more of the sources seem to be actual spammer operated machines
seems a bit strange, and I dont think my data can support that very much
Sure - some of your users could have ended up on a few local spammers'
lists (and a lot of the local spammers in that region are still
that time honored old spammer practice of spamming direct from their
ADSL lines, though port 25 blocking is catching on a lot in hkg /
other countries). But really - that volume is detectable, trivial to
them down .. and certainly not as much as the botnet generated spam from
infected PCs that you get from those ranges.
Most of the "static" spam source issues in China are not direct spam
- that's all moved to hosting websites, DNS etc for spam operations.