On Oct 5, 2015, at 10:57 PM, Noel Butler <noel.but...@ausics.net> wrote:
> On 06/10/2015 12:39, Jo Rhett wrote:
>
>> Sorry, let me restate: I know consequences of blocking large
>> providers. I’m asking if others have found the same to be true, or if
>> there is any reason to give SoftLayer benefit of the doubt?
>> Once in a great while this kind of query generates clueful contact
>> with said provider to get off their tail...
>
>
> softlayer is turning into the U.S.'s version of Europe's OVH - many ranges of
> both are blocked, though the report rate has dropped significantly in months
> gone by for both, so if you block, leave yourself a note to unblock in 30
> days or so and see how it pans out.
>
> Alternatively, if you have a lot of users you provide for that gets legit
> softlayer mail, just score them high so they always end up in spam folder.
We’ve had issues with softlayer/the planet. I don’t remember ever seeing a
response to a single complaint. Not one.
And some of them are really blatant, like impersonating the FBI.
On thing I’ve noticed is that long-term, legitimate softlayer customers end up
changing their rDNS (PTR) records, since they don’t have to jump from lily pad
to lily pad.
The spammers, on the other hand, often don’t go through the trouble because
they’re not going to be there long enough.
In that case, blocking something like:
X-Spam-Relays-Untrusted =~ /^[^\]]+
rdns=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}-static.reverse.softlayer.com /
X-Spam-Relays-Untrusted =~ /^[^\]]+
rdns=\[0-9a-f]{2}\.[0-9a-f]{2}\.[0-9a-f]{4}\.static\.theplanet\.com /
might be the solution.
We found that most of the spam we got from softlayer either included a URL that
resolved to 104.148.103.2 — which was easy to block with check_url_local_bl() —
or else contained a message-id which had an email address in it followed by:
[a-z0-9\-\.]{1,6}>$
for instance.
-Philip
