At 10:06 AM -0400 8/14/07, Bill Cole wrote:
At 11:38 PM -0500 8/13/07, billc imposed structure on a stream of
electrons, yielding:
At 9:17 PM -0500 8/13/07, Lewis Butler wrote:
On Aug 13, 2007, at 9:03 AM, Charles Mangin wrote:
since i took over hosting, all of these dictionary-style spams
have been going nowhere, being rejected out of hand with "<<< 550
Unrouteable address". i know i can't do anything more than ignore
them and hope they will move on to some other target but...
sheesh. six months? with nothing to show for it? you'd think
there'd be some sort of list purging in all that time.
Well, you can do something about it, you can blacklist IP
addresses that send too many bad messages where too many is a
number you chose.
I wish that were true. Recently the dictionary attacks are coming
from completely unrelated IPs - you can sit there and watch the
logs roll by and know that it's a dictionary attack, but none of
the IPs match any other. It's obviously a botnet or an IP spoofing
scheme.
OUCH! You've pushed one of my buttons there....
In short: you can forget about IP spoofing as an explanation for
anything based on TCP and involving a shotgun approach. Botnets of
tens of thousands of cracked Windows machines are available for rent
and provide a far more useful tool than spoofing for most such
purposes.
Ok, sorry to push the button. I figured it was most likely a botnet,
but that a spoof was possible. Now I know more. thanks as always
for the tutorial.
Blacklists likely won't help much there.
Actually, they can. The Spamhaus Zen list (particularly the CBL and
PBL components) does a pretty good job keeping up with compromised
machines and the Spamcop BL has become a far better tool for such
machines than it used to be, Ironport having apparently decided to
turn it into a serious operational tool rather than a way for
anti-spam activists to annoy big dumb ISP's. (as a professional mail
admin who is also an anti-spam activist, I have some mixed feelings
about that...)
Good to know that the zen rbl is tracking compromised boxes.
I've also found that for small sites (anyone running SIMS today has
to qualify) it is likely to be very helpful to handle your own local
blacklist in a way that would be unsuitable for most public lists.
For example, most small sites in the US could forbid all of 80-92.*,
210-211.*, and 122-125.* and never lose any legitimate mail.
Unless, as in our case, you happen to host a small but well connected
research/consulting group with regular correspondence with places
like China, Brazil, Eastern Europe, and other typical spam-source IP
blocks.
--
Bill Christensen
<http://greenbuilder.com/contact/>
Green Building Professionals Directory: <http://directory.greenbuilder.com>
Sustainable Building Calendar: <http://www.greenbuilder.com/calendar/>
Green Real Estate: <http://www.greenbuilder.com/realestate/>
Straw Bale Registry: <http://sbregistry.greenbuilder.com/>
Books/videos/software: <http://bookstore.greenbuilder.com/>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <SIMS@mail.stalker.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
