Is it just me or has the volume of SPF passing spam where the sending IP is not known by Spamhaus gone up in recent weeks? I used to get these very infrequently, but during last few weeks I've gotten new ones almost daily. Many of the sender addresses look legitimate, with tlds such as .com or .net or .de, and they very much look like cases where a spammer has got their hands on a formerly legitimate domain or hacked the dns provider. The sending IPs' reverse records point to very suspicious looking Chinese or Russian domains, some IDN and some regular.
An example of such domain is vovlink.de, where the A record and the mail subdomain both point to 62.173.147.115, the reverse of which is the IDN орс.051.рус (xn--n1aed.051.xn--p1acf). Because the SPF config is "v=spf1 a mx -all" the spam passes the SPF check. I reached out to the abuse contact through the domain-contact.org website and actually got a reply, but the dns config is still unchanged and the host is still sending spam. Of course I block these manually when I come across them, but these used to be very infrequent. So I wonder if this is a larger phenomenon or is it just that some spammer has recently added my domains to the recipient list. The vovlink.de one did also send spam to my Gmail address, so I guess that IP has pretty hefty output volume. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
