D.C.B.A.in-addr.arpa. PTR blah.blah.subdomin.domain.tld.
These IPs sent a msg that our greylisting service recorded as a triplet of IP+sender+recipient, rejected it with 450 (after RCPT TO:), and then did not see that IP+sender+recipient re-tried. Had the triplet been retried after 5 minutes, it would have been accepted and no longer greylist rejected. ie, the greylist's 4xx was an effective 5xx for these IPs. (Our greylist period is 5 minutes.)
Not re-trying to send msg after a 4xx reject is not legit MTA behavior, and typifies sending software (spamware, mailer worms/bots/ratware in infected machines, high-volume spam farms that don't spend resources to retry) that don't use (or have) the typical MTAs defer/queue/retry facility.
( btw, for you webhosting outfits, another class of machines that are legit but greylistable is web apps that email forms, sales leads, reports, etc. using the web app's SMTP client (no defer/queue/retry facility) that sends direct to MXs, rather than relaying through a real MTA. )
I assume the numbers below are proportional to the size of the domain.tld network rather than to the rate of infection of any given network. ie, probably all networks are infected at about the same rate, so bigger networks (more PCs) have bigger numbers.
The point is that these network operators are not policing their networks for infection or unusally high direct-to-MX mailing from subscriber IPs. They clearly don't block access to port 25.
So, if ASTA or anybody else really wanted to follow ASTA's suggestion of blocking networks that were unpoliced/unsecured, here's the list of networks to block:
14799 comcast.net 5301 attbi.com 5269 rr.com 4580 com.hk 4052 dsl-verizon.net 3957 ameritech.net 3789 pacbell.net 3614 swbell.net 3516 verizon.net 3206 optonline.net 3137 charter.com 2631 com.br 2559 net.br 2395 bbtec.net 2080 shawcable.net 1877 ne.jp 1607 mindspring.com 1596 adelphia.net 1228 videotron.ca 1053 interbusiness.it 1013 telus.net 985 aol.com 981 com.mx 961 co.uk 948 mchsi.com 891 hinet.net 887 t-dialin.net 852 net.il 818 bellsouth.net 817 charter-stl.com 803 faltok.com 799 proxad.net 785 insightBB.com 738 surfer.at 734 vtr.net 725 alkimnet.net 725 QWEST.NET 671 com.ar 597 rima-tde.net 568 discounts2go.com 567 messagereach.com 538 bezeqint.net 524 wanadoo.fr 522 ono.com 497 factorysamples.com 487 specialdeals4you.net 481 snet.net 477 cox-internet.com 467 netoes.com 445 zs-n.com 444 algx.net 443 moosq.com 442 tpnet.pl 430 samplesdirect.net 404 hotmail.com 403 outgefl.com 380 earthlink.net 375 net.mx 372 t-reks.com 367 net.tw 365 noos.fr 350 sprint-hsd.net 348 InternetCrusade.com 333 greatestdealsaround.com 328 easysitelaunch.com 328 chello.nl 328 btcentralplus.com 327 charterpipeline.net 326 mxhs01.net 325 e-net.com 303 net.au 302 covad.net 296 bsm-dd02.net 292 usarealestate2000.com 289 rogers.com 287 golunga.com 281 advancedaccess.com 280 sk.ca 279 btopenworld.com 277 supercoolstuff.net 274 a2000.nl 271 chartertn.net 269 edextra.com 268 menta.net 268 ad.jp 259 brokeragentmail.com 253 specialsclub.com 251 dailydirectdeals.com 248 xo.net 247 etectar.com 246 nf.net 245 autocontactor.com 240 cox.net 227 supercable.es 227 hispeed.ch 225 cgocable.net 222 relevantreach.com 221 alltel.net 218 onolab.com 213 bigdls.com 211 wideopenwest.com 210 ntl.com 207 knology.net 207 bl-15.com 204 npgco.com 199 or.jp 199 htc.net 189 webringyoudeals.com 189 terra.cl 188 memberreward.com 186 yourcertificates.net 184 com.sg 175 streamsend.com 172 wanadoo.nl 163 pricecuts4u.com 162 incrediblemirage.com 161 remax.net 159 maplewick.com 156 qualitybusinesses.com 155 thisisadomainallright.com 155 techzensend.com 154 acelerate.com 152 edu.tw 151 broadband.hu 148 home.nl 147 skynet.be 147 master-link.com 146 numericable.fr 145 siol.net 144 rgc3.net 143 gte.net 142 transedge.com 142 tochnost.com 139 hmdelivery.com 139 easyclickers.com 135 prodigy2.net 134 t-ipconnect.de 133 charterwv.net 132 southslope.net 132 detramail.com 131 yourcardsexpress.com 130 wtnet.de 130 Level3.net 129 limitedspecialoffers.com 128 mm.pl 128 mailsoftinc.com 128 crazygoodprices.com 127 m0.net 127 genuity.net 127 genuity.net 127 cnc.net 126 newhomesale.com 125 travelzoo.com 124 listrak.com 118 ediets.com 118 att.net 116 winningemail.info 115 netcabo.pt 115 4epurchase.com 114 realtytracker.com 112 centurytel.net 112 alamail.net 110 tiscali.com 110 bestimage.com 109 skanova.com 106 net.ar 105 palmtreebeaches.com 102 eoffersclub.net
... etc up to about 4800 unique domain.tld's.
However, the above is not the full picture since these networks have IPs with PTR. Here's the total number of greylisted IPs with/without PTR:
369281 IPs with PTR (the above report)
215562 IPs without PTR
This report is for just one MX seeing about 500,000 IPs greylisted over 5 days. So when you read estimates of millions of infected PCs world-wide causing e-mail havoc, believe it.
btw, I didn't compute it, but it seems that most IPs send about 5 to 10 triplets per day, so our greylisting rejected about 2.5 to 5 million msgs in 5 days from these polluted networks. Total insanity.
Len
_____________________________________________________________________ http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
