On 16-02-09 11:14 PM, Aaron L. Meehan wrote:
On Tue, Feb 09, 2016 at 08:56:28AM -0800, Spam Auditor wrote:
Just noticed a very large increase of activity from comcast, it
could be that they have changed naming conventions (PTR) records on
their dynamic space, or that they are not doing egress filtering on
network..
Maybe though information on this naming convention, and what it
represents would be helpful..
174.163.8.198 3 m001dd418f0d3.sjos3.ca.comcast.net
I think you may know this, but these are MAC addresses for CPEs
001dd41
.. for example is the prefix for Arris devices.
And looking at our own mail logs, all of these connections from these
CPEs are spam, and big time spam. Multiple connections and deliveries,
to many non-existant addresses. And spamassassin has flagged all of them
as spam in every case I've seen, with scores way above and beyond the
threshold at least.
Aaron
Yes, and we are blocking/tagging based on that naming convention in SMTP
layer, but the reason we reported was a sudden jump detected. And of
course that means a lot of wasted CPU cycles and network traffic ;)
Thought maybe an egress filtering rule (eg to Port 25 from dynamic
address space) went down.
Also, it would be nice if comcast indicated whether they are
dynamic/static in their naming conventions.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
