Eric Johnson wrote:
The first type of traffic happens quite often to many different e-mail addresses. In this case, we see multiple attempts over a short period of time from a number of different zombies to send e-mail to a single e-mail address using the same "mail from:".
...
I also see a number of connection attempts where an individual spam zombie tries to connect two or three times with either an obviously bogus "mail from" or a source that doesn't even begin to match the "mail from" domain. The attempts are spread over the course of a minute or two and then gives up to find an easier target. The second is within seconds after the first attempt fails. I haven't seen them try again after two or three attempts.
I've seen both behaviors with greylisting, and other behaviors as well. They still don't get past spamd, so I don't worry much about them. There are many different behaviors depending on what spam sending software they're using, and it'll change somewhat next week or next month. Rather than trying to match the current patterns just let spamd work. Added benefit if you have some old, spam-laden addresses to use as spamtraps. That will blacklist a lot of zombies no matter their sending pattern of the week. -- Darrin Chandler | Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
