Hi folks, I'm seeing a new pattern of behaviour from spammers over the last few months, which shows signs of growing. Briefly:
- Mail originates from a correctly-configured mailserver, typically called ssl.somedomain.com, so spamd doesn't catch it. - The domain is entirely sacrificial, and may only exist for a few days before being blocked by the registrar (or blacklisted by me). - Mailserver IP addresses tend to be in blocks (I'm logging them in order to anticipate and block new senders). - Spam content is commercial, and identical spams turn up from various of these domains. This is *almost* the only type of spam I'm seeing these days, which says a lot for the (continued) power of greylisting. Anyone else seeing this? Would it make sense for me to publish the IP addresses I've harvested so far? (I'm currently blocking these via accessdb; it would make far more sense for me to tarpit them...) Steve -- http://www.fivetrees.com
