Thank you all for the helpful feedback. Some comments in no particular order, and then a summary at the end (for now). I intentionally omit most names and express my gratitude and respect for chiming in, on either side of the fault line, even (and more so) the side that is not aligned with my interest.

>> 18.32.0.0 - 18.255.255.255 Amazonaws.com
>
> I'm obviously biased, but I'd like to think so, yes. Our DE and UK
> deployments use IPs from that range, for instance.

sorry for your predicament. I've been in a similar predicament with my old deployment at Digital Ocean. Not much I can do if the swamp's owner has policies that smell worse than rotten fish, other than sanitizing myself out of there.


> I get a fair amount of real mail mixed in with the crud

this is what makes it difficult when getting close to the **FAULT LINE**. Whose fault is it for the mixing up of ham and spam and for commingling water with sewage? And which perspective prevails?


> AWS needs to add transparency.

Possibly? transparency is one way to **GOVERNANCE** and certainly a requirement for democratic governance. BUT: governance start with self-governance; and there are forms of non-democratic governance that work pretty well. As a user, I receive less spam when I am governed by Apple (iMessage) or Telegram.


> Honest question -- are there any hosting networks that do a particularly
> great job at keeping spammers away? I'd be happy to move my server.

Honest answer: I do not know. It depends on **INCENTIVES**.


>> 34.4.5.0 - 34.63.255.255 Googleusercontent.com
> https://developers.google.com/static/crawling/ipranges/user-triggered-fetchers.json
>
> and applying extreme rate limits to keep down the noise.

thanks for the (maybe?) useful link. some feedback says it is not always up to date. At least it is an attempt at playing civilized. but why just rate limits? IMHO rate limiting is the wrong **SIGNAL**: it still taxes my resources more than I am willing to tolerate. Tolerance tends to encourage bad behavior and unless there are benefits to the tolerance, or it is technically impossible to avoid, it should be avoided.


>> 141.98.10.0/24 hostbaltic / tiscali.it?
>
>    141.98.10/24 has been in our block-and-forget list since 2022-Mar-21

nobody had good words for this one, surprise.


> no reason to reconsider.

important thought that requires design. what if the subnet changes ownership, or, against all odds, they do clean up their act and start participating civilly? **DYNAMICS**


>> 64.62.197.0/24 shadowserver.org

> It is useful security scanner

...

> You can easily opt out

...

> I think they do good work

...

> legitimate, but noisy .. you can request they don't probe your machines

A lot of good words for them. HOWEVER: IMHO, the opt out model is insufficient and unacceptable. Another signal.

Too many "white hats." Some try to justify their stuff in their whois/RDAP remarks. Some have some sort of TOKEN there. No idea what it is. If someone cares to explain, I am curious. But it is curiosity only. To me, the white hats are as much of a nuisance as the black hats. Unless *I* decide that I want to hire/pay a white hat.


BACKGROUND INFORMATION: These four picked subnets were just a representative sample. Four different cases collected over the first two days of life of a new cloud instance. Apart from a couple of test emails I sent forth and back to validate my proof of concept (still needs some work), it was all sewage that assaulted port 25 on an IP address that has been kept inoperative/silent for a couple of years.

No ports 465, 587, imap, pop3 (is it still a thing?). SSHd behind wireguard. For easy management, the cloud instance is an Incus host and the mail server is in an Incus container. Almost completely scripted instantiation/provisioning. Still a mess, because I am DYI and because I believe in a different design paradigm than the existing orchestration/provisioning tools out there. The Postfix/Rspamd inside the container was showered with sewage once port 25 was forwarded to it.


>> https://github.com/StevenBlack/hosts for hosts?
>
>    I've been thinking about building something like this as a hobby,
> but haven't had the time.

If there is one thing that is clear to me: this is not a hobby. There is a good reason why DNSRBL operators are asking for money for their service. But also a good reason to avoid their business model.


> there are RBL's [...] Google does have a public list,
> but it isn't even that accurate.

If only the RBL's services were the answer. Abdication of sovereignty is too much. I may as well move all of my emails to any of the hyperscaling oligopolists and call it a day.

Rspamd is a partial solution to the data sovereignty issue, but at what cost and complexity? It has its place closer to the FAULT LINE, but as first line I am looking for a low compute requirements, bright line between obvious networks from which I can expect nothing of value in my circumstances. For the rest, I may indeed apply the finer mechanisms of Rspamd.


> You can have an 'exemption list' for the few legitimate servers

certainly part of the intended design of that low-computing line. The beauty of Steven Black's hosts consolidation is that it consolidates multiple inputs to one user-customizable output, all based on criteria that match the user's circumstances and coupled with easy augmentation/reduction based on the circumstances of the specific host. Such use is far from perfect, and interests contrary to mine can (try to) circumvent it with hard-coded IP addresses and with kill-switches embedded in their spyware-infested devices (out on the web there is an interesting account of an engineer trying to make a robo-vacuum work for him instead of spying on his household; but I am digressing).


I am dividing the UNWANTED INCOMING TRAFFIC into three classes. Only one is in scope: (a) clients/subnets that I do not want to receive from, nor expect to receive from, anything valuable to me. This is in scope. (b) compromised/hacked clients: out of scope. There are tools for that including fail2ban. (c) clients that are too close to the FAULT LINE, e.g. commingled traffic, bad network-neighborhood. out of scope. There are tools for that, including rspamd.


> The worst if the number of AUTH attacks

out of scope.


> hard to tell if they are simply compromised installations,
> or threat actors.

out of scope.

> NOTE: with increased use of MCP, you will see
> more legitimate login attempts, but you should use 2FA methods
> required from this IP space.

out of scope.

Off-topic note on MCP: total shitshow. once again, security was an afterthought. Rumors have it that some higher up at Meta had all of their emails deleted; and others had their databases deleted. I like the German canonical answer: "selber schuld!" I have very briefly experimented with (custom) MCPs. isolate. isolate. isolate. And not the way Anthropic suggest, with a firewall on the inside of the container. Make sure it is isolated from the outside, so that an unauthorized privilege escalation is not immediately followed by a gaping firewall hole.


> If you REALLY want to stop the noise, yes you can build an ipset for
> your firewalls, with minimal blow back.

That is indeed the intended goal. But before reinventing the wheel, and building the ipset alone and on my own, I am looking for something along the GitHub repo linked above, or at least allies with similar needs to build an ipset out of common intelligence and common interest.


> [worst offenders] probably on most DROP lists like SpamHaus and
> SpamRats, you are using those correct?

they have their place in rspamd, after the low-compute-cost first line of defense has limited access. In addition to the waste of compute resources, it is structurally not wise to rely on DNSRBLs at this stage. Strategically, they are welcome to contribute to building the ipset the same way the input from ad-blockers contributors is welcome into the hosts list at the Github repo linked above. Not the other way around, which is just a slippery slope to entshittification where the "free" tier lasts until the new tool reaches critical mass collected from the data of the "free" users, and then paywalls and other shenanigans are raised. This kind of sneaky monetization is as acceptable as charging for security patches that would not be needed in the first place with access to the automated build pipeline (Ubuntu Pro).

I know that my idea is contrary to the business model and the bread and butter of many in anti-abuse space. Sorry not sorry. Their interest is ortogonal if not opposed to mine. My idea is also contrary to the bread and butter of many if not most ESPs: I will block what they believe is legitimate interest spam. Sorry not sorry. I am unabashedly and uncompromizing seeking the best possible implementation of the one rule: my inbox, my rules.


THE FAULT LINE

Because there is only one reasonable view of ham vs spam: spam is in the eyes of the recipient. With very few exceptions. I wish I could ignore as spam the claims of legitimate creditors.

Where an effort is made to accommodate cases that are closer to the fault line than they could be: cost/benefit-analysis. Too much complication has been added to capture the DYNAMICS. Sure, network ownership change, behavior change, people may be open to change suppliers, etc. -- but the majority of my incoming legit traffic follow established pattern, and the majority of all traffic is not legit. Hence, accommodation of dynamic / introduction of change shall be the afterthought, not a main concern.


GOVERNANCE

Governance starts with self-governance. There will always be someone looking to exploit a loophole. It's part of my job (lawyer). No protocol is perfect and there will always be loopholes, with cost, benefits, and consequences. Without incentives not to exploit loopholes, most forms of governance will fail, and the more tolerant ones will fail before the strict/authoritarian ones.


SIGNALS AND INCENTIVES

If the cost/benefit calculation for the bad behavior stays positive, consequences are just the cost of doing business. If I want the bad behavior to end, I need to increase the cost. The decision not to accept traffic from a subnet is a radical one, but it communicates that bad behavior will not be tolerated. There is room for tolerance before resorting to an outright block, and that room is well served by existing tools. However, the cost is completely born by the recipient. No incentive for the subnet from which the nuisance is emanating to do anything differently. Adding them on a permanent block list is a clear signal that their traffic is unwanted here. And if they do not get the message and are not incentivated to improve their ethics, at least it does not cost me more resources than putting them on a list. Let them deal with the problem of not being able to deliver to me.


DYNAMICS

If delivering to me is so important to them, a dynamic will develop. At their expense, not at mine. When my mail server started suffering from swampy neighborhood, I contracted SMTP service from an ethical ESP. I use it as an SMTP relay for outgoing traffic. I still control my inbox, so if my clients send confidential matter, it does not risk transit/storage at my service provider that could be affected by legal and often covert interception (search warrants) or by unethical or unauthorized inspection. Of course all of these security measures are moot if my clients use some juggernaut's services for their email sending, but I have complied with my professional duty to them, and I do try to educate them about mitigating risk by not emailing confidential matter.


CONCLUSION

the conclusion for now is that until I have some sort of ip blocklist, I need to oversize a bit my mail server resources. Not satisfying, but pragmatic.

I have some other ideas about reducing traffic and reducing compute waste, but they are still half-backed.

Yuv


On 2026-06-06 01:14, Hans-Martin Mosner via mailop wrote:
Hi,
a bit late, but just adding a data point:

Am 05.06.26 um 18:46 schrieb postfix--- via mailop:
Hello list, may I pick the accumulated wisdom and experience?

any useful traffic from these subnets:

18.32.0.0 - 18.255.255.255 Amazonaws.com

As a mail source, this is used by some legitimate senders. I'd prefer if they used dedicated mail infrastructure with a responsible operator, of course, but you can't always have what you want.

However, the cloud file hosting service of AWS is currently being abused for massive phishing runs so that I hold any mail referencing a *.amazonaws.com domain for manual vetting.

34.4.5.0 - 34.63.255.255 Googleusercontent.com
Block. I've not seen any good come from there, ever.

I am thinking of just dropping them at the firewall and call it a day. I have not yet advertised my super clean new mail server and there is already a stream of abuse.

also from:

64.62.197.0/24 shadowserver.org
Can't say anything personally, but apparently they are white-hat as reported by other list members.
141.98.10.0/24 hostbaltic / tiscali.it?
Hostbaltic has been on my block list for a long time for reasons...

Cheers,
Hans-Martin


_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to