On 09/03/03 at 17:34 -0400, Chuck Martin opined:
> I have read messages from several of you who say you check out all
> spam you receive, find the source, and blacklist it locally.
I generally only add hosts to my local blacklist if they're not already in
one or more of the RBLs I use. And even then, I rarely blacklist single IP
addresses -- I prefer to list the entire enclosing block if I don't think
I'll be getting legit mail from it. That keeps my blacklist from growing
unreasonably huge and keeps other exploitable hosts in the block from
spewing at me.
> I decided to try this myself today, but think I must have a huge
> knowledge gap. I just looked at my last 12, and found each one was
> from a unique IP.
Welcome to the wonderful and exciting world of spam fighting...
> Maybe this is not enough messages to search, but so far it doesn't look
> like too promising a technique. As I am told the only Received: header
> I can trust is the last (top) one, that is where I got the IP.
And more importantly for this purpose, that's the host that directly
relayed the message to your server. You only need to blacklist hosts that
are actually talking to your server.
> Maybe I need to get them from the SIMS log instead.
Naw. The received headers from the messages will do fine.
> Is that why I got the results I got, or is there some other problem
> causing me not to see a pattern?
You expect a pattern? Spam gets relayed from all over the 'net, shotgun
style. Patterns are very broad and, as you say, it takes more than 12 data
points to see them. Over time, you will probably see some general patterns:
There are a lot of open proxies and otherwise exploitable hosts in East
Asia (China, Korea, Hong Kong, Singapore, Taiwan, etc.), Eastern Europe,
the Middle East, etc., so you'll notice quite a lot of relays in those
parts of the world. Also, the major ISPs, especially cable modem and DSL
providers (Road-freakin-Runner, ComCast, etc.), are riddled with insecure
end-user boxes that are prone to exploitation. (Can you say 'Windoze
sucks'? I knew you could... ;-] )
--
Christopher Bort | [EMAIL PROTECTED]
Webmaster, Global Homes | [EMAIL PROTECTED]
<http://www.globalhomes.com/>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
