<<< 454 Stick it up your mail queue

Geeky anti-spam stuff…

Well, my initial plan was to issue a 4xx code for all bounces (meaning mail from: ) and then be ready to block the folks that were hitting us excessively at the firewall level as well.

Instead, I decided to skip directly to the firewall stage and refuse all sendmail connections from these hosts. Of course, I would not recommend to do this on a real production mail server, but this is a special situation. None of these domains are ever used for legitimate email, so 1. I don’t have to worry about dropping legitimate mail, since there isn’t any, and 2. All bounces are guaranteed to be due to accepting forged mail.

So, perhaps these sites will get connection refused and start to choke on the backlog. Then again, perhaps they are already choking on a large backlog anyway.

These are the top 18 that I decided to block today, along with the surrounding /24. The numbers are how many bounces that subnet tried to send us in approximately 20 hours yesterday.

213.180.130. 18072 # smtp1.poczta.onet.pl [213.180.130.31]
216.155.197.  6897 # mtaXXX.mail.dcn.yahoo.com [216.155.197.*]
216.109.118.       # mta101.mail.dcn.yahoo.com [216.109.118.1]
66.218.86.    6232 # mtaXXX.mail.scd.yahoo.com [66.218.86.*]
66.163.174.        # mtaXXX.mail.sc5.yahoo.com [66.163.174.*]
64.12.138.    3756 # omr-m02.mx.aol.com [64.12.138.2]
212.24.65.    2539 # stamp.eurobell.net [212.24.65.75]
128.100.132.  1792 # bureau16.ns.utoronto.ca [128.100.132.44]
152.163.225.  1544 # omr-r09.mx.aol.com [152.163.225.154]
213.171.216.  1362 # mailqcluster.fasthosts.co.uk [213.171.216.27]
194.193.3.    1087 # deep-thought.tandf.co.uk [194.193.3.13]
200.37.174.   1015 # uapmail.uap.edu.pe [200.37.174.126]
205.188.159.   736 # omr-d07.mx.aol.com [205.188.159.13]
129.173.67.    708 # waffle.cs.Dal.Ca [129.173.67.10]
62.253.162.    690 # mta01-svc.ntlworld.com [62.253.162.41]
216.41.128.    465 # parcheesi.mail.semo.net [216.41.128.79]
200.37.28.     396 # smtpin.tempotours.com.pe [200.37.28.5]
194.168.54.    278 # mailrelay1-gui.server.ntli.net [194.168.54.49]

Note: Block at your own risk. Just because they are sources of a large amount of forged mail doesn’t mean they are *only* sending spam. If you do want to block these and other sources of bounce-spam, you might want to block only MAIL FROM: and let the rest get caught by normal spam filters, or else check your stash of known-good mail for these ranges, or whatever.

At any rate, this 40k – 50k per day doesn’t quite put a dent in our estimated 1M bounces per day to our handful of well-abused domains, but if two or three of the admins of the 18 blocked ranges will wake up and smell the mail queue, my job here is done (for the day).

Leave a Reply