misunderstanding scale, SMTP edition

Lamar Owen lowen at pari.edu
Wed Mar 26 17:36:03 UTC 2014

On 03/26/2014 01:09 PM, John Levine wrote:
> Quite right. If I were a spammer or an ESP who wanted to listwash, I 
> could easily use a different IP addres for every single message I 
> sent. R's, John 
Week before last I saw this in great detail, with nearly 100,000 
messages sent to our users per day from probably the same spammer (lots 
of similarities, including an image payload with invisible anti-bayesian 
text and a .in TLD) where no two messages came from the same IP.  It did 
all come from the same hosting provider, though, and at least for now 
that hoster's whole address space (all twenty blocks, varying between a 
/23 and a /17) is in my border router's deny acl for incoming on port 
25.  At least for now; I did send an e-mail out to the abuse contact, 
waited 72 hours, then but the blocks in the incoming acl.  This hoster 
was adding rwhois entries for each /32 allocated (yes, IPv4 /32) and 
they had different NIC handles.  I'll probably wait a month, then pull 
the acl to see if it starts back up.  Oh, and each and every /32 that 
sent mail had fully proper DNS, including PTR etc.  Spamassassin's score 
was well in the 'ham' category for all of those messages.

IP reputation lists are one weapon in the arsenal, but not nearly as 
effective as one would like.  There is no technical magic bullet that 
I've seen work over the long haul.

But that's not really on-topic for NANOG.

More information about the NANOG mailing list