[Rspamd-Users] Bayes questions and observations

G.W. Haywood rspamd at jubileegroup.co.uk
Sun Mar 17 11:04:45 UTC 2024 

Hi there,

On Sat, 16 Mar 2024, christian via Users wrote:
> Am 16.03.2024 um 17:00 schrieb G.W. Haywood:
>
>> If you wish I can easily provide a list of ASNs with scores greater
>> than whatever value you desire, which you then could drop with very
>> good confidence that nobody except the spammers would notice.
>
> Very gladly,
> I put together a list of the 15 worst ASNs from this website:
> https://emretosunkaya.com/bad-asn-list-to-block-in-your-web-firewall-to-harden-against-malicious-attacks/

Be cautious with that list.  For example from about 30,000 connections
Hetzner (AS24940) scores only 0.19 here.  We do have customers on that
AS, which will tend to skew our measurements - but not by very much.

> The worst for me is: AS36352 AS-COLOCROSSING

Yes, score here 10.48 from approaching 10,000 connections but it's far
from the worst offender that we see.  Below are those with scores more
than 4.0 and more than a thousand connections in the past year.  It's
difficult I think to call any one of them the 'worst' offender, as the
numbers of connections and what those connections try to do must both
be taken into account.  Some of them do nothing but send what I'd call
perfectly ordinary spam; some of them do nothing but make attacks which
try to compromise our servers; some of them send a mixture of malicious
mail and legitimate mail.  If anything those which send a mixture are a
bigger problem than those which have no legitimate reason to connect,
and that's the main reason that we need to make all these measurements.
If we could block all the Bad Guys all the time things would be easier.
You'll probably want to use a monospace font to see the table well.

  asnum  |                        asname                         | score | count 
--------+-------------------------------------------------------+-------+-------
   50613 | ADVANIA ISLAND EHF                                    |  4.09 |  1178
   51659 | LLC BAXET                                             |  4.40 |  1431
   14061 | DIGITALOCEAN-ASN                                      |  4.48 | 12697
    8100 | ASN-QUADRANET-GLOBAL                                  |  4.74 |  2990
   35913 | DEDIPATH-LLC                                          |  5.02 |  1134
   38365 | BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY CO., LTD. |  6.20 |  1807
    4837 | CHINA UNICOM CHINA169 BACKBONE                        |  6.51 |  8187
    4812 | CHINA TELECOM (GROUP)                                 |  6.63 |  1817
   12389 | ROSTELECOM                                            |  6.73 |  1315
   45090 | SHENZHEN TENCENT COMPUTER SYSTEMS COMPANY LIMITED     |  6.75 |  1922
    4134 | CHINANET                                              |  6.83 | 29141
    7922 | COMCAST-7922                                          |  7.38 |  1965
  208708 | EUROCABLE LTD                                         |  8.10 |  2984
   46573 | LAYER-HOST                                            |  8.20 |  2723
  136052 | PT CLOUD HOSTING INDONESIA                            |  8.50 |  1688
  210228 | WEB HOSTED GROUP LTD                                  |  8.55 |  7136
   42864 | GIGANET INTERNET SZOLGALTATO KFT                      |  8.88 |  3219
  200391 | KREZ 999 EOOD                                         |  9.07 |  1381
   24560 | BHARTI AIRTEL LTD., TELEMEDIA SERVICES                |  9.38 |  1753
  213035 | DES CAPITAL B.V.                                      |  9.39 | 27999
  206873 | GALAXYSTAR LLC                                        |  9.42 |  1836
    9808 | GUANGDONG MOBILE COMMUNICATION CO.LTD.                |  9.50 |  2904
    4766 | KOREA TELECOM                                         |  9.59 |  2417
   22773 | ASN-CXA-ALL-CCI-22773-RDC                             |  9.72 |  3325
  135905 | VIETNAM POSTS AND TELECOMMUNICATIONS GROUP            | 10.29 |  2782
  211760 | SUISSE LIMITED                                        | 10.44 |  2599
   36352 | AS-COLOCROSSING                                       | 10.49 |  9223
    1239 | SPRINTLINK                                            | 10.49 |  3003
  209605 | UAB HOST BALTIC                                       | 10.60 |  1349
  138687 | XDEER LIMITED                                         | 11.14 |  1793
   23650 | AS NUMBER FOR CHINANET JIANGSU PROVINCE BACKBONE      | 11.43 |  2112
  208476 | DANILENKO, ARTYOM                                     | 11.51 |  1208
  209371 | ENES KOKEN                                            | 11.62 |  3997
  211252 | DELIS LLC                                             | 11.97 | 15357
    4808 | CHINA UNICOM BEIJING PROVINCE NETWORK                 | 12.38 |  4451
  399471 | AS-SERVERION                                          | 12.41 |  1126
   35478 | BUNEA TELECOM SRL                                     | 12.73 |  2509
   17447 | NET4INDIA LTD                                         | 13.04 |  7091
   51447 | ROOTLAYER WEB SERVICES LTD.                           | 13.18 |  2697
  202306 | HOSTGLOBAL.PLUS LTD                                   | 14.20 |  4485
   17488 | HATHWAY IP OVER CABLE INTERNET                        | 14.33 |  1017
   39032 | IST TELEKOM LLC                                       | 14.98 |  2352
  207713 | GLOBAL INTERNET SOLUTIONS LLC                         | 17.48 |  1021

I think people who run these services should have to have a licence.  Then they
could have it taken away.  Pour encourager les autres, I'd start with AS207713,
and work upwards through the list, one per week, until they got the message.

HTH

-- 

73,
Ged.

More information about the Users mailing list