SpamRATS

SpamRats Statistics

Direct statistics or comparisons are difficult, as it really depends on the use case. Servers hosting more domains, suffer from more bot generated spam attacks, dictionary attacks, and other problems than a server with a single domain. And of course, where you implement is important. At the edge of course will see more detections, but later in the process after rate limiters and other ACL's and rulesets might have lower numbers. And what country you have your email server in, also changes the statistics.


... even a one (1) percent improvement in catch rates can be important ...

However we can give SOME sense of the effectiveness of RBL's.. it can be anywhere between 10% and 90% of your traffic. Some 3rd parties also publicly share how effective various Spam RBL's are and what their false positive rates may be. Remember.. everyone's experience will be different, but these sample 3rd parties can be enlightening.

Various Public Comparison Sites

For the record, stats are VERY misleading, and often companies only use the stats the make them look good. 3rd parties MAY be your best reference, however our threat intelligence gathering tools show both real time and historical data, whether a single IP, a Network, an ASN, or an operator. This live real-time information will soon be available as well.


... tracking 4,294,967,296 IPs.. It's not that hard ...

Do you realize that there can ONLY be 4,294,967,296 IPs in the IPv4 Space? In practice, there are less than three (3) billion usable IPs, and more realistically, only a few million IPs that can be used for email servers. It is NOT that hard. However, there are FAR more IPs, used strictly for things like mobile phones, home internet connections, open proxies, that frankly are just used by bots and criminals to try to access your servers and services, instead of legitimate purposes. With almost 20 years of history gathering data, and thousands of real time feeds, it is not surprising that SpamRats data is so effective. Small surprise that lists like RATS-NOPTR have more than 100 Million IPs listed, with almost ZERO false positives. Imagine using all our lists.

IP Listings by the Numbers

  1. Total Number of IPv4 Addresses possible: 4,294,967,296
  2. Total Special IANA Reserve IPv4 Addresses: 592,708,865
  3. Total Theoretical Usable IPv4 Addresses: 3,702,258,431

  4. IP Addresses on RATS-NOPTR: 121,246,469
  5. IP Addresses on RATS-DYNA: 179,533,636
  6. IP Addresses on RATS-SPAM; 9,521,195
... as you can see, less than 1% of the IP space accounts for 99% of the spam ...

And of course you should NEVER get email from 'BOGONS'. The following IP space NEVER sends spam, because it is not routable. Any attempt is a forgery

| CIDR               | Purpose                                                         | Key ref                                
| ------------------ | --------------------------------------------------------------- | --------------------------------------
| 0.0.0.0/8          | “This network” (incl. 0.0.0.0/32 unspecified)                   | IANA Special Registry; RFC 791/1122    
| 10.0.0.0/8         | Private use                                                     | RFC 1918                               
| 100.64.0.0/10      | CGNAT / Shared address space                                    | RFC 6598                              
| 127.0.0.0/8        | Loopback                                                        | RFC 1122                               
| 169.254.0.0/16     | Link-local (APIPA)                                              | RFC 3927                               
| 172.16.0.0/12      | Private use                                                     | RFC 1918                               
| 192.0.0.0/24       | IETF protocol assignments (parent block; contains various /32s) | RFC 6890                               
| 192.0.2.0/24       | TEST-NET-1 (documentation)                                      | RFC 5737                               
| 192.88.99.0/24     | 6to4 relay anycast (deprecated; do not use)                     | RFC 7526                               
| 192.168.0.0/16     | Private use                                                     | RFC 1918                               
| 198.18.0.0/15      | Benchmarking interconnects                                      | RFC 2544/5735                          
| 198.51.100.0/24    | TEST-NET-2 (documentation)                                      | RFC 5737                               
| 203.0.113.0/24     | TEST-NET-3 (documentation)                                      | RFC 5737                               
| 224.0.0.0/4        | Multicast (Class D)                                             | IANA Multicast Registry; RFC 1112/5771 
| 240.0.0.0/4        | Reserved for future use (Class E; generally unrouted)           | RFC 1112                               
| 255.255.255.255/32 | Limited broadcast                                               | RFC 919/8190                           
  

Technically, there are a lot more IPs that would qualify for RATS-DYNA and RATS-NOPTR, but fortunately many Telcos and ISPs block all egress traffic to port 25, so they never get listed.


It is important to note, that many large ranges of IPv4 space are still locked up by major entities, like governments, universities, and legacy operators, that also cannot send spam as they are not publicly accessible either.

Too Big to Block

Unfortunately, in today's world there is a lot of spam that originates from the so called 'Too Big to Block', entities like Gmail, and o365/Hotmail. As well, there is a lot from email marketing companies that some recipients believe to be unwanted Spam, but are not on these reputation lists as valuable important email also originates from those sources. But in some cases, IP reputation of the sender connecting THROUGH these services can be used to identify known spammers. Because of the use of IP reputation, which prevents known spammer sources, unfortunately it is reported that app. 72% of all spam and phishing now arrives from sources like Gmail

Using data from SpamRats can help identify a significant portion, and if you wish to prevent outbound spam, lists like RATS-AUTH, RATS-NULL can help if used in your filtering tools

Other Threats - Overlap

Compromised servers, bots, and criminal networks resort to spam and phishing for their criminal activity. It is reported that over 70% of all ransomware attacks originate from an initial spam or phishing action. But when a criminal owns or operates or has access to an IPv4 address, they often use it for many other forms of attacks, including SSH, Web Attacks, DDOS attacks and more. This is why IP reputation goes far beyond simply just email. And DROP lists such as RATS-NULL should be used to protect all networks.

Nowadays, we observe that major cloud services are being abused more and more frequently for use in authentication attacks. We are just as surprised as you may be when looking at the source of these authentication attacks. The trend towards utilizing these cloud services for malicious attacks is concerning, and unfortunate that more is not done at the source. Services that allow criminals to get IPv4 space sometimes even for just minutes at a time, networks that rent to criminals, all contribute to the global financial losses

These services do not provide any transparency as to who or what is behind the attack, leaving the targets and victims vulnerable. Even if you block one offending IP, another IP from that network will come knocking on your server's door. This provides a haven where threat actors can hide behind a service and remain anonymous while performing password guessing attacks.

Financial Losses Worldwide

For worldwide losses, much of the information is hard to validate, however as North America with 30-35% of the global household wealth, and 5% of the population, you can extrapolate world wide losses due to spam and phishing and similar activity.

North American Reported Losses

... United Stated Reported $16.6 Billion dollars in losses (FBI Stats) ...
... Canada Reported $658 Million dollars in losses (Government of Canada)) ...

A total REPORTED loss of $17.4 Billion loss in North America already seems like a catastrophe, and it's not just businesses. FBI reports show that in 2024 a conservative consumer personal loss of over $12 Billion dollars. Even worse, it is estimated that only 5-10 percent of fraud is reported. Consumer losses are the majority of that amount unfortunately with BEC (Business Email Compromise) as the most notable business loss, reported to be the largest portion.


... Business Email Compromise (BEC) reported to be $2.77B in 2024, and well under reported...

However, given that the major portion of losses is consumer losses, examining this further is important.

  • Investment scams (incl. crypto / “pig-butchering”): $6.57B
  • Tech support scams: $1.46B
  • Personal data breach: $1.45B
  • Non-payment / non-delivery: $0.79B
  • Confidence/romance (“catfishing”): $0.67B
  • Government impersonation: $0.41B
  • Identity Theft, Fake Lotto, Extortion, and Over-payment Scams

And the worst part, is that our most vulnerable portion, our elderly are most often targeted, and often for their life savings. Reported loss reports exceed $4.8–$4.9B (147,127 complaints) for the 60+ age category. The FTC reports even higher numbers, where investment scams are $5.7B and impostor scams of app. $3 Billion in 2024

  • Investment $1.83B
  • Tech support $0.98B
  • Romance $0.39B
  • Business Email Compromise (as personal victims) $0.39B
  • Government impersonation $0.21B
  • Personal data breach and others $0.25B

And for all of these, the criminals need access to the internet. IP Reputation can be one of your strongest tools. We all need to do more to protect our citizens.

Resources and References

United States
FBI IC3 2024 Internet Crime Report
https://www.ic3.gov/Media/PDF/AnnualReport/2024_IC3Report.pdf

FBI IC3 Elder Fraud Report 2024
https://www.ic3.gov/Media/PDF/AnnualReport/2024_IC3ElderReport.pdf

FBI IC3 Ransomware Data (2024 IC3 Report appendix)
(included in the main IC3 2024 PDF above)

Federal Trade Commission (FTC) – Consumer Sentinel Network, Fraud Reports 2024
https://www.ftc.gov/reports/consumer-sentinel-network-data-book-2024

Canada
Canadian Anti-Fraud Centre (CAFC) – Annual Fraud Data 2024
https://www.antifraudcentre-centreantifraude.ca/scams-fraudes/statistics-statistiques-eng.htm

RCMP / CAFC News Release on 2024 Fraud Losses
https://www.rcmp-grc.gc.ca/en/news/2025/canadian-anti-fraud-centre-reports-638-million-losses-2024

Many thanks to our Sponsors, Subscription Holders, Users and Contributors.