On 12.12.2017 09:00, Anvar Kuchkartaev wrote: > If IP address and domain names continuously changes they are probably fake > domain names and emails sent by randomly exploited servers.
No, not that way. That's what I used to see 5 or 10 years ago as the main source of spam. Nowadays I find most of the spam originating from cloud services / cheap hosters, where they rent machines for short times, sometimes just hours. Continuously changing doesn't mean completely random in this context. Most of the time changing within the address range of a hoster, and changing the hoster after one or a few days. However, I find a significant number of helo names like armbe-the.date 2 armos-sty.date 2 axum-obl.date 2 clay-sod.date 2 coke-fsa.date 2 erkoe-war.date 2 hrist-soc.date 2 irgot-hkj.date 2 lirne-hew.date 2 nerc-jus.date 2 orlds-kim.date 2 pike-com.date 2 rlade-woo.date 2 treau-eld.date 2 Sure, PCRE are possible, but I tend to avoid them, since RE are expensive, and changing needs (afaik) a full reload of postfix, while a mod to a database file is easier (although I agree that a RE might still be faster than a database file lookup). regards
