SPAMming countries

March 11th, 2008   Posted by Bart Van Loon

Our mailserver had a hard time last weekend
keeping up with the loads of emails thrown at it. It took 2 minutes to get an
ssh connection, because all other processes than qmail and spamd were kicked
out of memory and swap space. This is when I decided to try out greylisting. What a
success!

But what I wanted to show here are two lists:

> sqlite3 /var/db/greylite/greylite.db "select ip from pending" | xargs -n 1 geoiplookup | sort | uniq -c | sort -nr | head -n 15
389 GeoIP Country Edition: US, United States
285 GeoIP Country Edition: KR, Korea, Republic of
209 GeoIP Country Edition: TR, Turkey
208 GeoIP Country Edition: RU, Russian Federation
208 GeoIP Country Edition: IT, Italy
194 GeoIP Country Edition: RO, Romania
179 GeoIP Country Edition: BR, Brazil
172 GeoIP Country Edition: ES, Spain
167 GeoIP Country Edition: CO, Colombia
166 GeoIP Country Edition: AR, Argentina
163 GeoIP Country Edition: PL, Poland
134 GeoIP Country Edition: --, N/A
120 GeoIP Country Edition: CL, Chile
118 GeoIP Country Edition: CN, China
115 GeoIP Country Edition: MX, Mexico

and

> sqlite3 /var/db/greylite/greylite.db "select ip from verified" | xargs -n 1 geoiplookup | sort | uniq -c | sort -nr | head -n 15
141 GeoIP Country Edition: US, United States
 28 GeoIP Country Edition: TW, Taiwan
 22 GeoIP Country Edition: GB, United Kingdom
 20 GeoIP Country Edition: BE, Belgium
 14 GeoIP Country Edition: RU, Russian Federation
 14 GeoIP Country Edition: FR, France
 14 GeoIP Country Edition: DE, Germany
 12 GeoIP Country Edition: NL, Netherlands
 10 GeoIP Country Edition: JP, Japan
 10 GeoIP Country Edition: CN, China
  9 GeoIP Country Edition: IN, India
  8 GeoIP Country Edition: PE, Peru
  7 GeoIP Country Edition: TR, Turkey
  6 GeoIP Country Edition: UA, Ukraine
  6 GeoIP Country Edition: CA, Canada

Some questions and remarks I have here are

  • Who is sending us all this email? :-)
  • This database is only in use for something like 24 hours now.
    Wonder what it will look like in a year or so…
  • Why is Taiwan second in the verified list? We don’t have any
    customers there. Is it a popular relaying country or do they have
    intelligent SPAM bots?
  • I’m happy to see we seem to be blocking off South Korea
    mostly.

If anybody else can make more sense out of this data, please let me know.
Thank you. :-)

Add a Comment   Trackback  

Add a Comment