I have read messages from several of you who say you check out all spam you receive, find the source, and blacklist it locally. I decided to try this myself today, but think I must have a huge knowledge gap. I just looked at my last 12, and found each one was from a unique IP. Maybe this is not enough messages to search, but so far it doesn't look like too promising a technique. As I am told the only Received: header I can trust is the last (top) one, that is where I got the IP. Maybe I need to get them from the SIMS log instead. Is that why I got the results I got, or is there some other problem causing me not to see a pattern?
A dozen trees can't really give you an idea of the shape of a forest.
The huge number of spam sources (mostly unsecured proxies of various sorts) is why so many people use DNS-based blacklists, which SIMS refers to as 'RBLs' (after the first DNSBL, the MAPS Realtime Blackhole List.) The most useful of these that I use today are my own locally maintained list (because the list got too big for SIMS) and the CBL, which is aimed at open proxies and cracked machines sending spam. My own list (available at http://www.scconsult.com/blacklist.shtml) is largely made up of networks, not individual addresses. For example, the Verizon/Genuity/Level3 mess in 4.0.0.0/8 is on there because none of the entities who might be the legal successors to BBN are willing to accept that responsibility. 12.0.0.0/8 is the same way because AT&T has mostly left that network to a mix of Comcast incompetence and salesman self-service for spammers. Most cable networks are on the list because the cable modems almost universally should never be sending mail directly and are in front of poorly secured Windows machines and/or proxies run by teenagers. I list big chunks of non-US address space because despite the large amounts of legit mail on those networks, nothing they ever send to me is anything but spam and the occasional Windows worm. I also have trap scripts on my website that blacklist and narrowly packet-filter any address seen to attempt various webserver cracks.
You might also note that my blacklist is prefaced with a pretty clear statement about its use. It is a list that works here for me and a handful of other users. It is not designed to work for any other environment. That will be true of any local blacklist. I add to my list based on what gets through a half-dozen external DNSBL's, and I knock out big chunks of net at once in most cases, yet I almost never catch any space that sends ME legit mail.
-- Bill Cole [EMAIL PROTECTED]
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
