[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: spam pattern
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: spam pattern
- From: Kevin <kkadow_(_at_)_gmail_(_dot_)_com>
- Date: Sun, 19 Dec 2004 14:59:47 -0600
- Reply-to: Kevin <kkadow_(_at_)_gmail_(_dot_)_com>
On Sat, 18 Dec 2004 14:27:51 -0600 (CST), C. Bensend
> > I've noticed that the spam that gets through my greylist and blacklist
> > always comes in "waves". And they're never from the same host. This
> > leads me to believe there is some sort of collaboration taking place
> > between the spammers. Unless there was some sort of relationship that
> > could be divined I don't know that the information would be useful, but
> > does anyone have any insights into exactly what is going on?
> Many spammers use "zombie armies" of compromised machines (typically
> Winderz boxes sitting on cable modems or DSL) to send their spew. Hence,
> you see a new spam run going out (which you've noticed), but they are
> sent via dozens/hundreds/thousands of different machines.
This is where a list of dynamic and dialup address blocks can come in
handy, I use the Pan-Am Dynamic List (http://www.pan-am.ca/pdl/) ,
loaded as a table. This list does not change often. There are very
few cases where a dynamically assigned cable or DSL address would send
mail directly to your server; generally legitimate mail from ISP
customers is relayed through the ISPs mail server.
There are also DNSBL zones which track short-lived sources of spam and
work well when used through a DNS lookup to return a temporary failure
message. One somewhat controversial DNSBL which fits these criteria
is the SCBL, see http://www.spamcop.net/bl.shtml.