I'd be curiously to see the logs for these. (I intend to check them against various address range lists to see if the originating IP addresses correlate with anything else I'm tracking.) If they're coming from botted hosts, then (as noted in the thread) using the XBL or similar may help. If they're coming from hijacked networks, then the DROP/EDROP lists may help. If they're coming from...well, without analyzing the data and looking for patterns, it's hard to say what will help. But I'm certainly willing to put in some time scripting and eyeballing even though the most likely outcome is nothing useful.
Mark is probably right about the addresses being forgeries, but once in a while attacks like these turn out to be using a smattering of real ones mixed in with the junk. That's why I suggested running the collation past Gmail people: they may be able to match it up with some other activity that isn't visible out here. (Or not.) Question/speculation: in the SMTP world, we've found that using things like greet_pause (which causes the SMTP server to refrain from sending its greeting for a little bit, and thus lets us detect SMTP clients that start sending too soon) can be pretty effective. Does the timing of these attacks lend itself to a similar approach? (Yes, of course clients can and will eventually adapt...but years later, greet_pause still manages to fend off some of the attacks.) ---rsk ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
