more HELO statistics
2004-12-02 14:29![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
fanfCounting all offered messages (rejected or not), we saw 1 447 252 different HELO names in the last month. If I count the number of dots in each name, the resulting histogram is as follows. The small end (0-2 dots) is inflated by incompetence and forgery. The big end (>10 dots) is 99.99% abuse.
Of the messages we accept, 274 902 different HELO names were used (19% of the total). If I count the number of dots in each name, the resulting histogram looks like this:
A lot of these are clearly bogus, for example 80 characters of random
words concatenated with an IP address, like
Antigone.meter.ernet.ne.jpsouthparkmail.comnetlane.comlouiskoo.comjpopmail.comtw60.186.213.104
or a random collection of concatenated domain names, like
cave.ngs.ouse.hello.nlsammail.compcmail.com.twsouthparkmail.com
(These should obviously be added to my HELO heuristics!) After removing them, there are 272 890 HELO names. If I count the number of dots in each name, the resulting histogram looks like this:
This still includes various stupidities. 26631 of the 37272 single dot names ending in com|net|org have no name servers so are invalid. Of the unfiltered list, 208323 of the 288884 com|net|org names are invalid.
Edit: Actually, if you use less-strict DNS validity checking those numbers are 22015 (instead of 26631) and 206556 (instead of 208323).
25765
450511 .
218188 ..
432343 ...
197647 ....
33647 ..... 5
28485 ......
19790 .......
4582 ........
2040 .........
3069 .......... 10
7005 ...........
9483 ............
7722 .............
4390 ..............
1840 ............... 15
568 ................
150 .................
23 ..................
3 ...................
1 .................... 20
Of the messages we accept, 274 902 different HELO names were used (19% of the total). If I count the number of dots in each name, the resulting histogram looks like this:
5723
69182 .
84906 ..
75131 ...
26182 ....
4723 ..... 5
4436 ......
2686 .......
279 ........
123 .........
123 .......... 10
317 ...........
447 ............
320 .............
211 ..............
87 ............... 15
21 ................
4 .................
1 ..................
A lot of these are clearly bogus, for example 80 characters of random
words concatenated with an IP address, like
Antigone.meter.ernet.ne.jpsouthparkmail.comnetlane.comlouiskoo.comjpopmail.comtw60.186.213.104
or a random collection of concatenated domain names, like
cave.ngs.ouse.hello.nlsammail.compcmail.com.twsouthparkmail.com
(These should obviously be added to my HELO heuristics!) After removing them, there are 272 890 HELO names. If I count the number of dots in each name, the resulting histogram looks like this:
5723
69182 .
84905 ..
75130 ...
26176 ....
4688 ..... 5
4334 ......
2521 .......
179 ........
47 .........
0 .......... 10
2 ...........
3 ............
This still includes various stupidities. 26631 of the 37272 single dot names ending in com|net|org have no name servers so are invalid. Of the unfiltered list, 208323 of the 288884 com|net|org names are invalid.
Edit: Actually, if you use less-strict DNS validity checking those numbers are 22015 (instead of 26631) and 206556 (instead of 208323).
