pf at alt-ctrl-del.org put forth on 4/11/2011 7:32 PM: > Just because most of the emails are spam, doesn't mean that most of > their customers are spammers. After all, the spammers are sending a lot > more mail than legit sites do. > > If the ISP has multiple /15's and /16's, I think that blocking all of > their IPs then exempting specific IPs would take too much time and > effort. I would just be playing a different version of whack-a-mole and > constantly be adding new exempted IPs. My goal is to automate anything I > can, and not replace one problem with another.
It is impossible to "automate" the rejection of snowshoe hosts. Greylisting won't put much of a dent in it. Snowshoe spam is horribly expensive, in both time and money, to combat, precisely because the hosts are typically technically setup just like legit outbounds to meet RFC and BCPs. Spamhaus SBL and DBL are getting better, but the lag time between a snowshoe host hitting your server, and a DBL or SBL listing, can be days or weeks. Many of the snowshoe hosts hitting here never get listed on the DBL or SBL. The pay dnsbls from Invaluement work very well against snowshoe spam but many/most mail OPs have a thing against paid dnsbls. Those large enough to already pay Spamhaus don't have a problem with this, and many of them do use Invaluement. In lieu of Invaluement, the only really solid defense against snowshoe hosts is preemptive blocking of the networks from which they operate after you identify snowshoe is emitting from said networks. Snowshoers usually use /29 to /24 allocations. But often you'll see hijacked netblocks up to /17 size with nothing but snowshoe emitting IPs throughout. Using rDNS lookup tools can help you identify snowshoe ranges and block them after you receive a few. There is no way to automate this, as software really can't tell the difference between the snowshoe domain "screwyouispam.info" and "postfix.org". Effectively fighting snowshoe (in lieu of Invaluement dnsbls) requires manual intelligence gathering by the mail OP, local block list generation, and good content filters. Again, tweaking greylisting delays is a wasted endeavor WRT snowshoe spam. -- Stan
