--On Tuesday, February 5, 2008 1:58 PM -0500 Vlad Mazek <[EMAIL PROTECTED]> wrote:
Has anyone else noticed a similar pattern or does someone out there hate me? :) The top 100 SPAM senders on my network (1 minute snapshot below) are all forgeries starting with jr- or jq- 24 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 21 [EMAIL PROTECTED] 20 [EMAIL PROTECTED] 20 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 17 [EMAIL PROTECTED]
Yeah, we noticed. We get 3 million BOUNCES a day for [EMAIL PROTECTED], from stupid systems that don't reject for unknown users, but accept and then mail a bounce. If 3 million are undeliverable just to badly configured systems, imagine how many are really undeliverable, and then imagine how many are being sent! And for just that one sender. Note, [EMAIL PROTECTED] does not exist and never did-- it is totally safe to reject all mail from it. We refuse the bounces at the RCPT command, but it's still a lot of useless smtp connections. The spam is from the Herbal King, for organ enlargement, isn't it? Unfortunately we cannot deliver to one mailbox fast enough to collect very many samples, but that's what we saw last time we tried it. The messages have a faked Received header that looks pretty good. Note that Senderbase shows cs.columbia.edu as a columbia.edu's biggest single sender of email, despite the fact that it sends NO mail, based entirely on Senderbase believing Recieved headers. It makes you want to add points for senders starting with jr or jq, doesn't it? Joseph Brennan Columbia University Information Technology
