using that script I posted here yesterday, here's an anvil results for
10c/30min through about 9 AM Sat:
12.129.205.44 mail3044.flowgo.com.
12.129.205.45 mail3045.flowgo.com.
12.129.205.47 mail3047.flowgo.com.
12.129.205.49 mail3049.flowgo.com.
12.129.205.50 mail3050.flowgo.com.
12.129.205.51 mail3051.flowgo.com.
12.129.205.52 mail3052.flowgo.com.
12.129.205.54 mail3054.flowgo.com.
12.129.205.58 mail3058.flowgo.com.
12.129.205.62 mail3062.flowgo.com.
12.129.205.63 mail3063.flowgo.com.
12.129.205.68 mail3068.flowgo.com.
12.129.205.73 mail3073.flowgo.com.
12.129.205.74 mail3074.flowgo.com.
12.129.205.75 mail3075.flowgo.com.
12.217.186.17 12-217-186-17.client.mchsi.com.
139.131.194.130 ns1.openbank.com.
155.239.180.229 tbnb-ip-nas-1-p229.telkom-ipnet.co.za.
157.151.53.122 ned3cat.com.
157.22.112.139
157.22.112.141
192.193.226.97 mail0.citigroup.com.
195.92.168.142 tmailb2.svr.pol.co.uk.
198.65.163.25 pacific15.optinmailbox.com.
198.87.25.12 mx02.keen.com.
200.223.214.154 host-200-223-214-154.eunanet.com.br.
200.53.64.99 occmta10a.terra.com.mx.
202.108.203.42
203.162.240.211
203.210.221.112 localhost.
205.251.212.237
206.104.159.5 weather.internetpro.net.
206.239.24.18 list.worldnex.net.
207.111.220.100 s100.ClickVolt.com.
207.182.132.242
207.182.132.243
207.218.65.13 gcb13.lnk2c.com.
209.210.70.56 mail.everton.com.
209.245.91.28 la03mail28.powerfulquotes.com.
209.25.84.66
210.58.77.185 210-58-77-185.cm.apol.com.tw.
211.239.159.153
213.17.252.34 netghost.biz.
213.222.180.202 catv-d5deb4ca.bp13catv.broadband.hu.
213.245.120.159 sal-ubr-01-213245120159.chello.fr.
213.6.70.181 A46b5.a.pppool.de.
216.127.143.138 out2.pirmail.com.
216.42.116.218 lemur.harrispollonline.com.
216.52.164.191 smtp1.ediets.com.
216.52.165.222 z01.zephermedia.net.
217.199.183.24 ns.company-formation-house.co.uk.
217.42.193.89 host217-42-193-89.range217-42.btcentralplus.com.
217.5.49.220 pD90531DC.dip.t-dialin.net.
218.107.188.83
218.107.188.84
218.107.188.85
218.107.188.86
218.107.188.87
218.162.205.3 218-162-205-3.HINET-IP.hinet.net.
218.81.180.49
218.81.185.223
218.87.232.127
218.94.209.74
220.189.21.106
24.175.19.33 cs2417519-33.austin.rr.com.
24.222.85.92 s85n92.syd.eastlink.ca.
24.87.251.75 h24-87-251-75.vc.shawcable.net.
35.11.228.79 user-eee11f.user.msu.edu.
61.17.107.96
61.173.46.86
61.191.231.190
61.191.231.240
62.46.64.153 L0005P25.dipool.highway.telekom.at.
63.237.252.118 118.fdaol.com.
64.123.144.35 adsl-64-123-144-35.dsl.okcyok.swbell.net.
64.156.186.51 host51.sampleclub.net.
64.156.187.122 mailer122.gossipflash.com.
64.156.187.150 mailer150.yourbigvote.com.
64.156.187.151 mailer151.yourbigvote.com.
64.191.35.124 ns1.nuiale9028jka.com.
64.191.35.125 ns2.nuiale9028jka.com.
64.191.83.88
64.191.83.89
64.191.83.90
64.201.103.58
64.201.103.62
64.201.120.247
64.253.207.120
64.253.207.121
64.253.207.122
64.253.207.123
64.28.67.130
64.41.183.130 em1.proffiliates.com.
64.62.133.205
64.70.17.138
64.70.17.141
64.70.17.142
64.70.17.67
64.70.17.68
64.70.17.75
64.70.17.76
64.70.17.77
64.70.17.78
64.70.53.132
64.70.53.140
64.70.53.142
64.88.151.68 close-1.closeout-special.com.
64.95.116.103 mercury.netoes.com.
64.95.116.104 venus.netoes.com.
64.95.116.105 earth.netoes.com.
64.95.116.106 mars.netoes.com.
64.95.116.107 jupiter.netoes.com.
64.95.116.108 saturn.netoes.com.
64.95.116.109 uranus.netoes.com.
64.95.116.110 neptune.netoes.com.
64.95.116.111 pluto.netoes.com.
64.95.116.112 zeus.netoes.com.
64.95.116.113 maia.netoes.com.
64.95.116.114 atlas.netoes.com.
65.161.206.140 adsl-206-140.webshoppe.net.
65.182.136.70
65.182.137.48
65.213.231.49 newsletter1.traderonline.com.
65.248.59.131 m131.eyonkers.com.
65.248.59.132 m132.eyonkers.com.
66.111.231.82 ywndp.your-world-news.com.
66.111.254.7 wti7.warmtimes.com.
66.117.18.153 host153.bigtimebargains.net.
66.117.21.18 host18.try4free.net.
66.117.22.242 host242.winnersdaily.net.
66.117.30.126 host126.samplesdirect.net.
66.12.28.14 bdsl.66.12.28.14.gte.net.
66.151.41.179 consumer-marketplace.com.
66.225.220.5 unknown.servercentral.net.
66.239.204.133 newd3.sm66.com.
66.239.205.115 offd15.cw69.com.
66.239.205.117 offd17.cw69.com.
66.55.165.16
66.55.165.19
66.55.165.20
66.55.165.21
66.55.167.133
66.55.167.134
66.55.167.135
66.55.167.136
66.55.167.137 l4.promdly.com.
66.55.167.152
66.55.167.153
66.55.167.155 o1.fryrinfo.com.
66.55.169.113
66.55.169.73
66.55.169.76
66.55.179.14
66.55.179.15
66.63.163.99 99.gd-aol.com.
67.108.25.121 67-108-25-121.hopebytheorange.com.
67.108.25.122 67-108-25-122.hopebytheorange.com.
67.108.25.123 67-108-25-123.hopebytheorange.com.
67.108.25.124 67-108-25-124.hopebytheorange.com.
67.108.25.126 67-108-25-126.hopebytheorange.com.
67.127.229.43 adsl-67-127-229-43.dsl.irvnca.pacbell.net.
67.127.246.23 adsl-67-127-246-23.dsl.irvnca.pacbell.net.
67.81.81.28 ool-4351511c.dyn.optonline.net.
67.85.33.17 ool-43552111.dyn.optonline.net.
68.122.105.48 adsl-68-122-105-48.dsl.irvnca.pacbell.net.
69.1.232.151
69.1.232.231
69.44.153.103 qyou2.com.
69.56.165.102 102.69-56-165.reverse.theplanet.com.
80.235.55.199 80-235-55-199-dsl.kjj.estpak.ee.
82.44.16.203 82-44-16-203.cable.ubr03.blac.blueyonder.co.uk.
For the apparently legits above (eg, citibank), each was able to send up to
10 msgs before getting anvilled. In the case of citibank, here is its
anvil record:
Feb 7 05:36:22 im1 postfix/smtpd[88596]: warning: Too frequent
connections: 11 from 192.193.226.97 for service smtp
Feb 7 05:36:29 im1 postfix/smtpd[88592]: warning: Too frequent
connections: 12 from 192.193.226.97 for service smtp
Feb 7 06:06:19 im1 postfix/smtpd[88745]: warning: Too frequent
connections: 11 from 192.193.226.97 for service smtp
Feb 7 06:11:25 im1 postfix/smtpd[88667]: warning: Too frequent
connections: 12 from 192.193.226.97 for service smtp
Feb 7 07:40:03 im1 postfix/smtpd[89193]: warning: Too frequent
connections: 11 from 192.193.226.97 for service smtp
Feb 7 07:46:26 im1 postfix/smtpd[89232]: warning: Too frequent
connections: 12 from 192.193.226.97 for service smtp
Feb 7 07:52:13 im1 postfix/smtpd[89222]: warning: Too frequent
connections: 13 from 192.193.226.97 for service smtp
Feb 7 08:22:17 im1 postfix/smtpd[89810]: warning: Too frequent
connections: 11 from 192.193.226.97 for service smtp
You can see the "10" value above, with anvil logging starting only at 11.
Noting the timestamp, you can see that citibank seems to have 1 hour retry
value (reasonable) which gets citigroup de-anvilled. Finally, everything
from citibank was delivered, on the order of 50 or so messages.
And note that citigroups' MTA gives up on IMGate after only 2 or 3 anvil
421's, while other MTAs can run up 100s or 1000s of consecutive retries
(bad behavior, deserves to be blocked)
The 10c/30 anvil settings seem to be working for an IMGate with these 9 AM
(Saturday) stats:
Grand Totals
------------
messages
5136 received
4728 delivered
0 forwarded
26 deferred (134 deferrals)
72 bounced
78219 rejected (93%)
9441 reject warnings
0 held
468 discarded (0%)
64172k bytes received
77238k bytes delivered
2422 senders
1164 sending hosts/domains
2343 recipients
287 recipient hosts/domains
Obviously, a couple of items to "except from anvil", which is not the same
as whitelisting.
A legit IP getting anvilled dynamically doesn't mean it was unable to
deliver any messages at all, just that it can't deliver 10+ messages in
under 30 minutes. I expect that anvil will produce very few if any
complaints blocked mail.
Also note that, eg, flowgo is blacklisted anyway, so even if it got past
anvil using low rates, it still would be SMTP rejected.
The anvil report above shows IPs, esp Class Cs without PTR, that should be
blacklisted, if not already, for their connection behavior alone,
independent of envelope info or content. ie, I expect anvil is a very good
identifier of Spammers Behaving Badly.
Anvil blocking is dynamic, meaning temporary, because it's a real-time
connection rate manager, not a permanent blacklist. With connections = 10,
that means an IP that gets anvilled will "421 reject" for back
off+retry. If the retry is too short, it stays anvilled. If its retry is
longer (but I don't know how long), it will get de-anvilled and be able to
send at 10 msgs again, or an infinite number of msgs as long as it remains
under 10 connects per 30 minutes. Also note, that a single connect (which
what anvil counts) could contain multiple RCPT TO:, so list server that
chunk recipients into, say, 20 recipients/connect, would be able to send 10
x 20 = 200 msgs and not get anvilled.
If somebody could come up with that script I asked for yesterday, you could
run it on a week or two of your maillogs and identify your set of legit
MTAs to be anvil-excepted.
Len
