On Mon, Sep 7, 2009 at 1:53 PM, Steve Fairhead<st...@fivetrees.com> wrote: > Hi folks, > > I'm seeing a new pattern of behaviour from spammers over the last few > months, which shows signs of growing. Briefly: > > - Mail originates from a correctly-configured mailserver, typically called > ssl.somedomain.com, so spamd doesn't catch it. > - The domain is entirely sacrificial, and may only exist for a few days > before being blocked by the registrar (or blacklisted by me). > - Mailserver IP addresses tend to be in blocks (I'm logging them in order > to anticipate and block new senders). > - Spam content is commercial, and identical spams turn up from various of > these domains. > > This is *almost* the only type of spam I'm seeing these days, which says a > lot for the (continued) power of greylisting. > > Anyone else seeing this? Would it make sense for me to publish the IP > addresses I've harvested so far? > > (I'm currently blocking these via accessdb; it would make far more sense for > me to tarpit them...)
Add them to your own black-list. I was seeing a lot of the ssl.*.com spam sources some six months ago and prior. This has fizzled down so far as I can tell. Last net-block I black-listed was dnspointkey.net (Sep. 3rd). --patrick