[Asrg] Something I noticed...
der Mouse <mouse@Rodents-Montreal.ORG> Fri, 03 July 2009 20:57 UTC
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 673FF3A6CD2 for <firstname.lastname@example.org>; Fri, 3 Jul 2009 13:57:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[AWL=0.391, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([126.96.36.199]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s9zAODBKgmHk for <email@example.com>; Fri, 3 Jul 2009 13:57:53 -0700 (PDT)
Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG [188.8.131.52]) by core3.amsl.com (Postfix) with ESMTP id 5F4F53A6E2D for <firstname.lastname@example.org>; Fri, 3 Jul 2009 13:57:52 -0700 (PDT)
Received: (from mouse@localhost) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id QAA01431; Fri, 3 Jul 2009 16:57:49 -0400 (EDT)
From: der Mouse <mouse@Rodents-Montreal.ORG>
Content-Type: text/plain; charset="iso-8859-1"
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
Date: Fri, 3 Jul 2009 16:44:17 -0400 (EDT)
Subject: [Asrg] Something I noticed...
Reply-To: Anti-Spam Research Group - IRTF <email@example.com>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:email@example.com?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2009 20:57:54 -0000
To get back to the research we are supposeldy doing here.... I recently noticed something odd. It could be nothing but a quirk of my mail stream, or it could be something serious spamwatchers know all about but I've missed - but it also might possibly be useful somehow. My mailer does DNSBL checks. One of them, probably the most useful single one, is the Spamhaus Zen list. But I noticed Zen-listed hosts had a tendency to hammer on me despite 100% rejections (not surprising in view of how much spammers, especially botnet-uysing spammers, pay attention to things like SMTP response codes, ie, not at all). So I added a decoration: when a Zen-listed host tries to send me mail, it goes into a router-based blacklist between my SMTP server and the world, for 24 hours (longer if it retries during the 24 hours). This helps keep my logs clean, and that's the major value it holds for me; I'm not under any delusions that anyone is paying any attention. :) But, recently, looking at the plots of my router blacklist size, I noticed some interesting artifacts. On investigating, it turns out that every once in a while (every few days), rather than puttering along at its usual pace of a half-dozen events an hour, the Zen-driven blacklist takes a big spike, jumping by something like 50 or 60 within a couple of minutes. I have speculation about what's behind this, but I'm sure many of you do too (probably the same speculation in a lot of cases). What I'm really writing here for is, anyone have any idea for anything useful I can do with the information? I'll be happy to provide anyone who wants with a feed of the underlying data, though I daresay those serious about this stuff already have such data of their own. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML firstname.lastname@example.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
- [Asrg] Something I noticed... der Mouse