Was that some wrappered service? Looked like tcp_wrappers. I think a router with enough memory would be a better performer for filtering activies at that layer.
I did go ahead and install the relay denial rulesets published on sendmail.org for 8.8.x and they work fine. Cyberpromo appears to have been using "Cyberbomber" on our ports.
I guess I'm naive, but I thought NAPS wanted to stop this kind of thing, and most had explicit rules about it. Guess not. Back to the clue-store with me. :-/
are you suggesting that providers filter /16's because they were spammed from a host in some tiny portion of the block..? i'd bet it wouldn't take two days, much less two weeks, to receive complaints from our own customer's (or any moderately large provider's) for that sorta thing... one semi-solution would be to receive vixie's spam feed, at least it's as precise as possible .. and less headache. -danny