on Wed, Apr 13, 2005 at 02:38:44PM -0600, Steve Meuse wrote:
On 4/13/05, John Palmer <nanog@adns.net> wrote:
Thank you for that information. I can leave 41/8 in my router bogon list and hopefully eliminate the Nigerian 419 problem somewhat.
Personally, I believe we should give them the chance to fail before we cut them off from the rest of the world. I don't think the majority of 419 email comes from addresses actually sourced in Nigeria.
I can't speak to the whole world's perceptions, but for 419/aff mail seen here, the vast majority comes from IPs assigned to the following ISO country codes: (africa|AR|BF|BG|BJ|BW|CI|DK|ES|GH|IL|KE|KR|LB|LV|ML|MR|NG|NL|RW|SN|TG|ZA|ZW) Where 'africa' means "IP space delegated to africa-online.com" (216.104.192/20). Also see quite a bit from BR, the occasional one or two from space in the US, satellite connections, and some from FR. I know this because I use the Received: and various X-Originating-IP format headers (usually originating via some compromised or unmonitored webmail software) to extract the injection IP and reject messages if the source matches the ISO codes above in a crossref of IP to ISO code or other keyword. I used to see quite a bit from Australia, but bigpond seems to have cleaned up its act significantly. Steve -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!