I don't know if anyone else has noticed the same thing, but spam seems to be on a major increase again, that makes last time (a few months ago when I started a thread about it then) seem like nothing by comparison. I've also read a couple of articles in the online press bemoaning the latest resurgence. I'm curious to know what (if anything) other ISP's are doing to try and counter the flood of spam that seems to be happening lately. Last time around I was mainly finding out about specific spam from customers forwarding it to me, this time around I'm receiving it myself as well, and in fairly large quantities. :-( So much so that I decided to go through and identify the source of my last weeks spam, including all the stuff in my postmaster bounce box for the last week. (Yeah, ok, I probably had too much time on my hands, but it was really frustrating me :) Double bounces are extremely common with spam, because all it takes is a spammer sending to a local address that doesn't exist anymore, (which happens frequently, because they like to target multiple envelope addressees with the same message and never remove anyone off their lists) using a reply to address which is fake. (Which is the case 95% of the time, including the infamous "Reply with the word REMOVE to be removed" messages) Because of that nearly every double bounce is spam, all nicely sorted for me including headers :) I ended up adding over 100 entries to my manual blocklist just in the one session...in a way its just a futile outlet for frustration, but I did find some interesting statistics: * The bulk of the spam for the last week (by message count) was sent by just a few (<20) sources, with one particular case where the same source was spamming the same 30 addresses nearly every hour. (Eeek) Most of the other sources were only one message a piece. (In other words they were probably randomly used relays, rather than the original source, since a number of the messages were identical although the last hop relay was different) * Almost every message has the return address forged, (surprise ;-) usually to a well known domain, like yahoo.com. * A large percentage have ip's that don't resolve. Together with setting the HELO response to the name of the domain they're impersontating, it can be easy to overlook their forgery in the Recieved by lines, eg: Received: from bigpond.com.au ([211.251.218.2]) It's not until you remember that the hostname should be within the parenthesis that you realise its fake.. :) * Some spammers seem to group email addresses together by domain name and send them as one message (presumably to save bandwidth, by letting the destination MTA handle the multiple delivery) but in doing so they often also list all the email addresses in the CC: field which looks VERY bad to any customer receiving that mail. (They think a group of email addresses have been "sold" to spammers, when its really just "normally" harvested addresses being sorted by domain) * Most ip addresses seemed to be either schools or businesses in Korea, or ADSL addresses in the US, Australia or the Netherlands. Very few (maybe 5%) of the spam actually came legitimately through the mailserver of the domain it purported to be from. Anyone else have any similar experiences ? Anyone else keeping track on spam or trying to fight it in any way ? While I'm on the subject, what is the accepted contact address these days for reporting spam to (NZ) ISP's ? postmaster@ or abuse@ or ? I forwarded a copy of spam that originated at an NZ ISP to postmaster@ their domain but havn't heard back yet. I realise that the postmaster address can be a bit over-used since thats where most MTA's like to send their delivery notifications etc to.... Regards, Simon Byrnand iGRIN Internet - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog