Point of information: Can you really distinguish all this intentionality vs. the spammer just changing which relay to rape? Perhaps because the raped relay was shut down or secured when the owner found out what was going on? Or the spammer just switching relays to rape for no specific reason other than they seem to "go bad" after a few hours so use one for a while (perhaps a batch of addresses to spam) and then switch to the next in the list? On September 10, 2002 at 09:12 JOE@OREGON.UOREGON.EDU (Joe St Sauver) wrote:
Actually, our experience *does* follow the backoff paradigm: if you block a particular source of spam, that rejection *does* seem to trigger "message volume" backoff at the source, with only periodic check probes apparently designed to see if the spam source is really still blocked (and of course it really still is).
Now it is true that in many cases the spammer *will* do a set of probes in an effort to see just how broad a given block is (e.g., is it just a /32 that's being blocked? is it my entire netblock? is it a domain based filter? can I slide in via an open SMTP relay or an abusable proxy server?), but at least here at the U of O, we're NOT seeing spammers waste their time attempting delivery of hundreds or thousands of messages per day via hosts that have been identified and filtered.
Regards,
Joe
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*