>> I see it too. I also use greyscanner to catch spammers and I see
>> a lot of spam to <random numbers and letters>@mydomains. So I trap
>> all hosts sending to addresses with numbers in them (as I don't
>> have any legit accounts with numbers). This catches almost all spam.
I finally got to deploying greyscanner on my mailservers,
and did something similar: trap every recipient address
with two or more digits in the user part (one digit could
be a typo, say a '2' before the '@'). This catches most of it.
>> I make all the ficticious addresses into spam traps.
>> Here's a bit of the output from my spamd database:
>> SPAMTRAP|a3d2...@witworx.com
>> SPAMTRAP|a7c85e...@witworx.com
>> ...
I do the same, but it seems less relevant now. In the past,
when I published a trap address, the bots harvested it and
tried to send to it, getting themselves trapped; but now
they just shoot out to wh4t3v3rg4rb...@mydomain.org,
apparently generating the user part themselves (as
opposed to harvesting real/trap addresses somewhere).
> I clean out the traps every few days with a script and back they come
> with new tries.
Yes. Recently, the 64.18.0.0 farm has been active on me.
$ spamdb | grep TRAPPED
TRAPPED|86.122.194.113|1356282022
TRAPPED|212.110.189.85|1356283885
TRAPPED|216.106.48.217|1356289572
TRAPPED|64.18.0.21|1356308593
TRAPPED|171.76.91.71|1356281598
TRAPPED|64.18.0.140|1356286482
TRAPPED|217.200.184.87|1356290678
TRAPPED|64.18.0.23|1356304740
TRAPPED|64.18.0.142|1356285089
TRAPPED|194.228.32.128|1356286433
TRAPPED|64.18.0.25|1356298962
TRAPPED|64.18.3.31|1356302574
TRAPPED|64.18.0.177|1356322196
TRAPPED|91.121.102.20|1356281598
TRAPPED|178.236.112.75|1356281598
TRAPPED|64.18.0.187|1356301851
TRAPPED|64.18.0.144|1356295832
TRAPPED|67.228.3.116|1356298119
TRAPPED|64.18.0.27|1356310158
TRAPPED|64.18.0.181|1356286964
TRAPPED|217.72.102.116|1356281598
TRAPPED|64.20.227.133|1356282002
TRAPPED|64.18.0.146|1356305342
TRAPPED|64.18.0.183|1356294508
TRAPPED|213.174.32.135|1356281598
TRAPPED|89.189.37.102|1356286482
TRAPPED|64.18.0.148|1356290415
TRAPPED|64.18.0.247|1356293785
TRAPPED|64.18.0.185|1356286052
TRAPPED|74.125.149.196|1356287445
_All_ of the 64.18.0.0 hosts are trying dd02...@stare.cz
for two days now ...
> @GOOD = (
> qr'^[A-Za-z\.\+]+@mydomain.(com|se)$'i,
> );
> $COMPREHENSIVE = 1;
I was trying this too, until a customer made a typo,
blocking his company's smtp server.
On Nov 05 22:36:30, s...@spacehopper.org wrote:
> On 2012-11-01, Jan Stary <h...@stare.cz> wrote:
> > Anyway, it seems (some) spambots got less demented and actually do
> > resend, getting themselves whitelisted - thus working themselves
> > around the whole premise of greylisting.
>
> Not the whole premise... A good part of it is to just delay the mail,
> this increases the chance that spamtraps etc will have picked up the
> mail before you accept it, thus increasing the effectiveness of other
> checks (DNSBL, razor/pyzor, etc).
True. Greyscanner has helped me very much!
Jan
