To get back to the research we are supposeldy doing here....
I recently noticed something odd. It could be nothing but a quirk of
my mail stream, or it could be something serious spamwatchers know all
about but I've missed - but it also might possibly be useful somehow.
My mailer does DNSBL checks. One of them, probably the most useful
single one, is the Spamhaus Zen list. But I noticed Zen-listed hosts
had a tendency to hammer on me despite 100% rejections (not surprising
in view of how much spammers, especially botnet-uysing spammers, pay
attention to things like SMTP response codes, ie, not at all). So I
added a decoration: when a Zen-listed host tries to send me mail, it
goes into a router-based blacklist between my SMTP server and the
world, for 24 hours (longer if it retries during the 24 hours). This
helps keep my logs clean, and that's the major value it holds for me;
I'm not under any delusions that anyone is paying any attention. :)
But, recently, looking at the plots of my router blacklist size, I
noticed some interesting artifacts. On investigating, it turns out
that every once in a while (every few days), rather than puttering
along at its usual pace of a half-dozen events an hour, the Zen-driven
blacklist takes a big spike, jumping by something like 50 or 60 within
a couple of minutes.
I have speculation about what's behind this, but I'm sure many of you
do too (probably the same speculation in a lot of cases). What I'm
really writing here for is, anyone have any idea for anything useful I
can do with the information? I'll be happy to provide anyone who wants
with a feed of the underlying data, though I daresay those serious
about this stuff already have such data of their own.
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse(_at_)rodents-montreal(_dot_)org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg