Anyone else seeing a lot of e-mail coming from different IPs, with senders with yahoo addresses? [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], etc.
This has been going on for many weeks. Rejecting "helo localhost" gets it efficiently. It comes from a very large array of spam bots each of which sends only five or fewer messages. If you count them you get something like this (this was Saturday at columbia.edu): 1836 <[EMAIL PROTECTED]> 1824 <[EMAIL PROTECTED]> 1772 <[EMAIL PROTECTED]> 1702 <[EMAIL PROTECTED]> 1682 <[EMAIL PROTECTED]> 1675 <[EMAIL PROTECTED]> 1669 <[EMAIL PROTECTED]> 1669 <[EMAIL PROTECTED]> 1597 <[EMAIL PROTECTED]> 1379 <[EMAIL PROTECTED]> 646 <[EMAIL PROTECTED]> 627 <[EMAIL PROTECTED]> 587 <[EMAIL PROTECTED]> 585 <[EMAIL PROTECTED]> 579 <[EMAIL PROTECTED]> 572 <[EMAIL PROTECTED]> 571 <[EMAIL PROTECTED]> 541 <[EMAIL PROTECTED]> 515 <[EMAIL PROTECTED]> 479 <[EMAIL PROTECTED]> rogert for example sent to 1836 valid and 2177 invalid addresses. Counting by the first three octets, it came from 1680 different IP ranges. I didn't try to get how many different hosts. rogert had various prescription drugs for sale with many different subject lines. Eyeballing logs, I don't see more than 2 in a row that are the same subject. gilbert sent to 579 valid and and 611 invalid. Look how similar the ratio is, indicating about the same quality of data. gilbert was selling the same stuff. When it gets relayed in and we don't see the bad helo, it scores high in Spamassassin. Joseph Brennan Columbia University Information Technology _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
