[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: spam pattern



On Sat, 18 Dec 2004 14:27:51 -0600 (CST), C. Bensend
<benny_(_at_)_bennyvision_(_dot_)_com> wrote:
> > I've noticed that the spam that gets through my greylist and blacklist
> > always comes in "waves". And they're never from the same host. This
> > leads me to believe there is some sort of collaboration taking place
> > between the spammers. Unless there was some sort of relationship that
> > could be divined I don't know that the information would be useful, but
> > does anyone have any insights into exactly what is going on?
> 
> Many spammers use "zombie armies" of compromised machines (typically
> Winderz boxes sitting on cable modems or DSL) to send their spew.  Hence,
> you see a new spam run going out (which you've noticed), but they are
> sent via dozens/hundreds/thousands of different machines.

This is where a list of dynamic and dialup address blocks can come in
handy, I use the Pan-Am Dynamic List (http://www.pan-am.ca/pdl/) ,
loaded as a table.  This list does not change often.  There are very
few cases where a dynamically assigned cable or DSL address would send
mail directly to your server;  generally legitimate mail from ISP
customers is relayed through the ISPs mail server.

There are also DNSBL zones which track short-lived sources of spam and
work well when used through a DNS lookup to return a temporary failure
message.  One somewhat controversial DNSBL which fits these criteria
is the SCBL, see http://www.spamcop.net/bl.shtml.

Kevin