Thanks, Bill. I think I'll leave it to others, and rely on CBL and the like.
On Thursday, September 4, 2003, at 09:08 AM, Bill Cole wrote: > At 5:34 PM -0400 9/3/03, Chuck Martin imposed structure on a stream > of electrons, yielding: >> I have read messages from several of you who say you check out all >> spam >> you receive, find the source, and blacklist it locally. I decided to >> try this myself today, but think I must have a huge knowledge gap. I >> just looked at my last 12, and found each one was from a unique IP. >> Maybe this is not enough messages to search, but so far it doesn't >> look >> like too promising a technique. As I am told the only Received: header >> I can trust is the last (top) one, that is where I got the IP. Maybe I >> need to get them from the SIMS log instead. Is that why I got the >> results I got, or is there some other problem causing me not to see a >> pattern? > > A dozen trees can't really give you an idea of the shape of a forest. > > The huge number of spam sources (mostly unsecured proxies of various > sorts) is why so many people use DNS-based blacklists, which SIMS > refers to as 'RBLs' (after the first DNSBL, the MAPS Realtime > Blackhole List.) The most useful of these that I use today are my > own locally maintained list (because the list got too big for SIMS) > and the CBL, which is aimed at open proxies and cracked machines > sending spam. My own list (available at > http://www.scconsult.com/blacklist.shtml) is largely made up of > networks, not individual addresses. For example, the > Verizon/Genuity/Level3 mess in 4.0.0.0/8 is on there because none of > the entities who might be the legal successors to BBN are willing to > accept that responsibility. 12.0.0.0/8 is the same way because AT&T > has mostly left that network to a mix of Comcast incompetence and > salesman self-service for spammers. Most cable networks are on the > list because the cable modems almost universally should never be > sending mail directly and are in front of poorly secured Windows > machines and/or proxies run by teenagers. I list big chunks of non-US > address space because despite the large amounts of legit mail on > those networks, nothing they ever send to me is anything but spam and > the occasional Windows worm. I also have trap scripts on my website > that blacklist and narrowly packet-filter any address seen to attempt > various webserver cracks. > > > You might also note that my blacklist is prefaced with a pretty clear > statement about its use. It is a list that works here for me and a > handful of other users. It is not designed to work for any other > environment. That will be true of any local blacklist. I add to my > list based on what gets through a half-dozen external DNSBL's, and I > knock out big chunks of net at once in most cases, yet I almost never > catch any space that sends ME legit mail. > > > -- > Bill Cole > [EMAIL PROTECTED] > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <[EMAIL PROTECTED]>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > > > > Inbound scan > > > Chuck Martin Avondale Software 123 N. McDonough St. Decatur, GA 30030 Work 404-373-3116 FAX 801-881-1246 http://www.theOmbudsman.com [EMAIL PROTECTED] Outbound scan ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
