[170344] in North American Network Operators' Group
Re: misunderstanding scale, SMTP edition
daemon@ATHENA.MIT.EDU (Lamar Owen)
Wed Mar 26 13:45:46 2014
Date: Wed, 26 Mar 2014 13:36:03 -0400
From: Lamar Owen <lowen@pari.edu>
To: nanog@nanog.org
In-Reply-To: <20140326170906.13315.qmail@joyce.lan>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 03/26/2014 01:09 PM, John Levine wrote:
> Quite right. If I were a spammer or an ESP who wanted to listwash, I
> could easily use a different IP addres for every single message I
> sent. R's, John
Week before last I saw this in great detail, with nearly 100,000
messages sent to our users per day from probably the same spammer (lots
of similarities, including an image payload with invisible anti-bayesian
text and a .in TLD) where no two messages came from the same IP. It did
all come from the same hosting provider, though, and at least for now
that hoster's whole address space (all twenty blocks, varying between a
/23 and a /17) is in my border router's deny acl for incoming on port
25. At least for now; I did send an e-mail out to the abuse contact,
waited 72 hours, then but the blocks in the incoming acl. This hoster
was adding rwhois entries for each /32 allocated (yes, IPv4 /32) and
they had different NIC handles. I'll probably wait a month, then pull
the acl to see if it starts back up. Oh, and each and every /32 that
sent mail had fully proper DNS, including PTR etc. Spamassassin's score
was well in the 'ham' category for all of those messages.
IP reputation lists are one weapon in the arsenal, but not nearly as
effective as one would like. There is no technical magic bullet that
I've seen work over the long haul.
But that's not really on-topic for NANOG.
