I have an ISP account, as well as a domain (ajackson.org), so I get the pleasure of sampling spam and viruses from many angles. I have my own e-mail filter for identifying and sorting my mail, and from the log file I generate the plots below.
The software that I used is available from my software page - basically I massage the data with perl to produce a nice matrix of input data, and then use R to do the statistics and plotting.
The perl pre-processing is very closely tied to my peculiar system, but the bits that may be generally useful are these :
# Given an IP address, get a domain. First check my database of IP vs domain, and
# if not there, then try the host command. Failing that, go get the abuse address
# from zcw (http://www.cyberabuse.org/)
sub get_dom {
my $ip = shift;
my $host;
if (defined $db->getrec($ip)) {
$host = (split(/\t/,$db->getrec($ip)))[2];
}
if (defined $host && length $host < 1) {$host = 'UNK';}
if (defined $host) { $host = truncdom($host); }
#print STDERR "database : $host\n";
return $host if defined $host;
$host = `/usr/bin/host $ip`;
my $foo = (split(/\s+/, $host))[4];
if ($host =~ /not found/ || length($foo)<4) {
$host = `zcw -h $ip | grep Abuse`;
}
if (length $host < 1) {$host = 'UNK';}
if ($host eq 'reached') {$host = 'UNK';}
$host = (split(/\s+/,$host))[-1];
$host = (split(/@/,$host))[-1];
if (length $host < 1) {$host = 'UNK';}
print STDERR "not database : $host\n";
if (defined $host) { $host = truncdom($host); }
return $host;
}
I have had some issues with certain ISP's. For example, Wanadoo.fr seems to reject all of my virus complaints, even though I have stripped out the viral load. I don't know what their problem is, it's just too bad. Into the trash. shinbiro.com is a piece of work. Apparently they are completely rogue, since any spam sent to their abuse desk gets rejected. So just how am I supposed to report spam? Answer - I'm not. Jerks.
Plonk List
