and a reverse DNS lookup, 60 requests at
time took
nearly 6 minutes of clock time.
The most effective RBL's are spamhaus, uceprotect and sorbs.
Spammers did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA often prior
to
sending spam which is subsequently blocked on my system.
Most of the IP's that did not issue MAIL/EXPN/VRFY/ETRN during connection to
MTA are
listed in one or more RBL's already.
Adding all of the IP's that did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
to my local blacklist is a valid strategy. Even those IP's that are not listed
in any
of the 6 RBL's I use above.
In the above report, when there is no name corresponding to the IP, there is no
valid
reverse lookup. That too, is a valid condition for blocking mail. That one does
however occasionally produce false positives. I monitor that and whitelist
addresses
(not IP's). There are so few this remains a manual administrative task.
At this point I do not know why spammers often do not issue MAIL/EXPN/VRFY/ETRN
during
connection to MTA prior to actual spamming attempts. I see this a lot from
41.nnn.nnn.nnn IP's - the source of mostly Nigerian 419's.
As a final comment, I am able to block many tld's since neither myself nor any
of my
users expect email from them. This allows me to build a very lengthy list of
spammers
to block that can be used by others with large mail systems that don't have the
option
to block tld's. I block most countries except .us, .ca, .uk and a few others.
Normally
a mail system cannot do that. So a record of those blocks is certainly mostly
spammers
- useful to others.
--
Paul Franz
425.440.9505 (O)
425.241.1618 (C)
One of the lessons of history is that nothing is often a good thing to do and
always a
clever thing to say.
-- Will Durant
