Domain: bsdly.net
Stories and comments across the archive that link to bsdly.net.
Comments · 7
-
Re:Reduced Backscatter Significantly
I set up SPF as kind of a desperation play more than anything else and the backscatter disappeared almost overnight. I'm sure someone out there is still receiving spam which appears to be sent from my domain, but the volume of backscatter I'm getting isn't even a tenth of what it once was. SPF is good for something.
The end of backscatter is more likely both a temporary thing and an indicator that they moved on to the next domains in their lists. They will be back sooner or later. In the meantime, you could use those backscatter addresses productively for such things as greytrapping (see eg http://www.bsdly.net/~peter/traplist.shtml, featured here at
/. at various times). It is worth noting that the domains involved there had valid spf records before those backscatter storms started happening. -
Blacklists should expire agressively
The problem here seems to be badly maintained blacklists. After seeing way too many false positives on various blacklists out there, the only lists I would use are ones that expire their entries in a matter of days or hours. The good ones that I use are uatraps (greytrapping generated, 24 hour expiry) and nixspam (IIRC max 4 days after last seen spam activity). Then of course I maintain my own greytrap list (see the traplist homepage and the traplist ethics pagefor details).
The point is, you need to expire entries aggressively. Keeping entries around because somebody received a spam from somewhere in that general direction four years ago is just silly. And don't get me started on blacklisting domains. If there is one thing we know with almost total certainty, it is that spammers never use From: or Reply-to: addresses that have anything vaguely to do with the real senders. -
Blacklists should expire agressively
The problem here seems to be badly maintained blacklists. After seeing way too many false positives on various blacklists out there, the only lists I would use are ones that expire their entries in a matter of days or hours. The good ones that I use are uatraps (greytrapping generated, 24 hour expiry) and nixspam (IIRC max 4 days after last seen spam activity). Then of course I maintain my own greytrap list (see the traplist homepage and the traplist ethics pagefor details).
The point is, you need to expire entries aggressively. Keeping entries around because somebody received a spam from somewhere in that general direction four years ago is just silly. And don't get me started on blacklisting domains. If there is one thing we know with almost total certainty, it is that spammers never use From: or Reply-to: addresses that have anything vaguely to do with the real senders. -
We catch a lot of this via greytrapping
The Spamhaus article really describes one of the most frequently encountered behaviors we see by looking at our spamd logs. Each machine does not necessarily send a large number of messages (although some do, hanging on for weeks on end in extreme cases), but once a machine has tried to deliver mail to one of our published trap addresses (see the list at http://www.bsdly.net/~peter/traplist.shtml ), we keep them occupied and publicly shamed (see http://www.bsdly.net/~peter/nameandshame.html as well as the exported blacklist) for 24 hours, or longer if they keep coming. I wrote about these things in some blog posts earlier that were
/.ed, and of course the generated lists are free to use, see the URLs and the blog posts. -
We catch a lot of this via greytrapping
The Spamhaus article really describes one of the most frequently encountered behaviors we see by looking at our spamd logs. Each machine does not necessarily send a large number of messages (although some do, hanging on for weeks on end in extreme cases), but once a machine has tried to deliver mail to one of our published trap addresses (see the list at http://www.bsdly.net/~peter/traplist.shtml ), we keep them occupied and publicly shamed (see http://www.bsdly.net/~peter/nameandshame.html as well as the exported blacklist) for 24 hours, or longer if they keep coming. I wrote about these things in some blog posts earlier that were
/.ed, and of course the generated lists are free to use, see the URLs and the blog posts. -
Some more data for your entertainment
I generally do not get a lot of spam, but one episode recently made me collect some samples and blog about them (/.ed as Giving Your Greytrapping a Helping Hand).
That page also contains references such as the complete listing of subject lines from spammers caught in our blacklists over a few years' time.
Enjoy!
-
Re:Frontbridge Spamshark
> Now this internal blacklist is then shared to all the other customers who use Spamshark, so they are now protected too; resulting in a 5 nines hit rate on spam.
And more false posistives than you would actually like to have. I've been at the business end of one of Frontbridge's blacklists. One of the domains I admin got blacklisted a full three weeks after the hosting company screwed up and let phishers set up a paypal scam site as the "test1" user to live for all of 22 hours. Three weeks later, one of the company's main customers, who happens to be a frontbridge customer, is no longer able to receive mail from us. A an unfinished writeup is at bsdly.net - I just gave up in disgust after trying to write an article about the incident.