Martin Kealey wrote:
Hi all
I've been paying attention to our mail logs lately and seeing some "interesting" stuff. So I was wondering...
Does anyone run a serious (commercial) email operation in New Zealand without having appropriate MX records these days? (i.e. relying on the legacy behaviour of using A records in the absence of MX records.) What about web forms? What about embedded devices?
What proportion of valid mail in NZ is sent from an address that doesn't have an MX record? Do you check? What do you do if it's not? If one were to block email from addresses without MX records, how much would break? How many complaints would one get?
So in the spirit of Geoff Houston's bgp-the-movie, and xkcd's map of the internet (http://xkcd.com/c195.html) I decided to do some of my own maps of the Internet (don't worry, relevance is arriving soon). http://blag.xkcd.com/2006/12/11/the-map-of-the-internet/ describes the algorithm. I work down to the /20, so the image doesn't get absolutely insanely huge. First I did a map of all the AS's on the Internet, colouring each AS by it's number: http://coders.meta.net.nz/~perry/dump/asmap.png Then I did one of the age of each AS based on it's whois last modified. Brighter red is newer AS's, darker red is older AS's. I guess I should have done this on the last modified of the prefix object but meh, I did AS because of Geoff's cool movie. http://coders.meta.net.nz/~perry/dump/agemap.png But to bring this back on topic, I did a map of where all the spam and ham comes from. Red intensity is the amount of spam, Blue intensity is the amount of ham. http://coders.meta.net.nz/~perry/dump/spammap.png A few conclusions I jumped to when I saw this picture was: * There are only a "few" networks that send mail. Comparing to "agemap" and "asmap" you can see that there is a lot of address space that doesn't send any email. (or at least doesn't send mail anywhere where I can see it) * People that send ham are generally stuck in the middle of people sending spam, although some of these might be false negatives. * Some networks are /really/ bad. * There are extremely few hammy sites, less than 1,000. It would almost be manageable to keep a whitelist up to date by hand. (well, if you were employed full time to do it anyway) There are certainly a lot more spammy hosts than hammy hosts, so RBL's seem to be fighting the wrong end of the war. * Sites send ham or spam (red or blue), sites don't send ham and spam (purple). * Theres very little spam in the "lower right" of the map which I think is the old Class C space (192/3). * I need more data to really flesh this out. Feel free to jump to any other conclusions you feel like from this data :)