Elijah Savage:
> I am seeing thousands of spam messages beginning on Thursday of last week
> from the same subnet. I know it is not best practice to fight spam by
> outright blocking ip addresses but I am seeing this across multiple domains
> in different parts of the country. The easy and immediate thought was just
> block the subnet but I do not like utilizing that practice. I think I know
> the answer but will ask anyway, do you all think there is a high probability
> to get false positives from those with incorrect DNS setups in using
Sometimes I can block multiple spam campaigns with a single
check_sender_ns_access or check_sender_mx_access rule.
These work against spammers who change sender address domains and
client IP addresses, but who reuse DNS or other infrastructure.
Running this shell command may reveal common elements:
while read domain
do
for type in ns mx a; do dig +noall +answer -t $type $domain; done
done < file-with-domain-names
As input, use a list of sender domain names or helo domain names
(including parent domains).
Wietse
