On Fri, 23 May 2014 09:15:07 -0400 Jerry Stuckle <jstuc...@attglobal.net> wrote:
> On 5/23/2014 3:02 AM, Joe wrote: > > On Thu, 22 May 2014 18:38:37 -0500 > > John Hasler <jhas...@newsguy.com> wrote: > > > >> Joe writes: > >>> But you normally only get one spam at a time from one ISP, which > >>> suggests they do spot the problem themselves fairly quickly... > >> > >> It suggests that the spammers are quite sophisticated in their use > >> of their bots. > > > > These are the ones that make it through, meaning among other things > > they come from an address with a proper A-PTR record pair. > > > > This depends entirely on how your MTA is set up. Not all MTAs do > reverse domain lookups (they are relatively long time consuming and > can slow down mail processing, especially on a busy system). I'm not an ISP, my record for rejections in one 24 hour period is just over 12,000, which isn't a heavy load. These days I'm getting a couple of hundred a day, plus about the same in legitimate email. > But > even when they do, most systems nowadays have A-PTR records, even if > they are in the form of "pool-1-1-168-192.example.com". While many ISPs provide PTR records of this type, not that many create matching A records. I know that some do, as a few of the spams that make it to my email client have these generic hostnames. Another common SMTP server requirement is to require a HELO to be resolvable in public DNS, this one catches quite a few. The spammers who send my IP address as their HELO (oh, yes they do...) are pretty easy to spot. > > > My rejectlog shows addresses trying several times an hour for days, > > and these are mostly domestic users. Presumably most mail servers > > reject these, and complaints aren't raised as quickly. > > > > That's just the sender's MTA retrying the request, and has nothing to > do with the spammer. The spammer probably only sent one message. > Chances are the messages are rejected because they're already on > someone's blacklist. Eventually the originating MTA gives up. > > But the sender doesn't have an MTA, it is a malware SMTP engine. I really doubt that any spammers are currently uploading a proper MTA to hacked domestic computers, which is where pretty much all my SMTP-rejected spam comes from. If it was a proper MTA, it would never retry after a hard rejection at the RCPT stage, it would pass back the error message to the sender. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140523182858.05264...@jretrading.com
