On Fri, 27 May 2022 22:57:37 +0200, Hans-Martin Mosner via mailop
<mailop@mailop.org> wrote:
>If you look up the MX records for these domains, you see a certain clustering
>around one provider. The IP addresses that
>I checked don't accept port 25 connections at this time, but probably they did
>when the spam run was active.
Correct. This is "Slash and burn" spamming. They've been doing this for at
least five years, with an extremely predictable behaviour pattern.
>Whether blocking a whole ASN is more advisable than blocking a whole TLD is a
>matter of opinion - I've often seen that
>past spammer hosting in an ASN's IP space was a good predictor for future
>spamminess, but of course as with TLDs you
>will always have some legitimate servers in the mix...
I have a script that detects these guys when they fire up a new /24, which
happens about 1.3 times per week, and puts new rules in the MTA. I'm simply
fascinated that they continue to attract new clients while essentially
remaining static in their practices for a net.geological_era.
mdr
--
Those who can make you believe absurdities
can make you commit atrocities.
-- Voltaire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
