There was a particular eastern European country that was giving me problems. I went back through the logs 18 months and couldn’t find a single legitimate connection so I decided to deny every IP address block assigned to that country. After a while, I took a look at the percentage of assigned blocks that had sent port scans, bot probes, etc and it was just under 70%.
I wonder what % of rejects on email gateways originate from 'owned' Windows machines. I'd say easily 60%. I can do a 'tail -f' on our mail gateway at any time of the day and watch all of the rejected connections that are obviously from home computers on an ISP's network. I'd say all of them are bots.
PS: That would be a 'tail -f' on the maillog file on the email gateway'. :p (it's getting late)