[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Sender ID again, was Anti-spam laws do work

To: ASRG list <asrg at ietf.org>
Subject: Re: [Asrg] Sender ID again, was Anti-spam laws do work
From: "Walter Dnes" <waltdnes at waltdnes.org>
Date: Thu, 29 Jul 2004 23:34:33 -0400
In-reply-to: <16648.7077.386393.912137@world.std.com>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <20040728155232.6208.qmail@xuxa.iecc.com> <04d101c474d3$a4b45660$fa4b10ac@fpcad.fujitsupc.com> <16648.7077.386393.912137@world.std.com>
Sender: asrg-bounces at ietf.org
User-agent: Mutt/1.3.28i

On Wed, Jul 28, 2004 at 05:33:25PM -0400, Barry Shein wrote

> I am not so sure about determined criminals willing to use infected
> zombie PCs by the millions, however.

  It's actually quite simple.  For my own personal domain, I have very
good results by blocking...

1) Anybody HELO'ing as my ISP's receiving MX (duhhhh)

2) IP addresses with no/none/nada/zip/zilch rDNS

3) IP addresses with rDNS matching regexp...

\.dial
dhcp
[0-9]+-[0-9]+-[0-9]+

4) IP addresses with rDNS ending in...

ipt.aol.com
proxy.aol.com
cpe.net.cable.rogers.com

5) Plus a few DNSbls that catch some odds-n-ends


  See http://www.waltdnes.org/spam/zombielists/2004/07/ for a list of
zombie-blasts so far this month.

  Below is a summary of blocked attempts by ruleset.  They are listed in
order of precedence in my blocking rules.  For instance, there were 136
attempts from CIDR 24.0.0.0/8 blocked.  However, the first few rules got
130 of them before getting to the rule that specifically blocks that
CIDR.  Similarly 200.0.0.0/8 and 201.0.0.0/8 combined for 54 attempts.
All but 3 of them were caught by earlier rules before the 200.0.0.0/7
rule was hit.

Total = 1289
============
Forged HELO as receiving MTA = 68
No hostname = 459
Dynamic IP by rDNS regex = 369
Provider by rDNS = 79
Country by rDNS = 79
Country by envelope-sender = 21
24.0.0.0/8 CIDR = 6
200.0.0.0/7 CIDR = 3
4.0.0.0/8 CIDR = 1
countries.nerd.dk = 79
Various lists of dnsbl.sorbs.net = 28
list.dsbl.org = 4
Spamhaus lists = 7
Commonly forged from not verified = 4

-- 
Walter Dnes <waltdnes at waltdnes.org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- Re: [Asrg] Sender ID again, was Anti-spam laws do work
  - From: John Levine
- Re: [Asrg] Sender ID again, was Anti-spam laws do work
  - From: George Ou
- Re: [Asrg] Sender ID again, was Anti-spam laws do work
  - From: Barry Shein

Prev by Date: Re: [Asrg] Re: Anti-spam laws do work, FYI. There's proof.
Next by Date: [Asrg] MTA registration means Path registration
Previous by thread: Re: [Asrg] Sender ID again, was Anti-spam laws do work
Next by thread: Re: [Asrg] Sender ID again, was Anti-spam laws do work
Index(es):
- Date
- Thread