[PLUG-TALK] A Semi-Rhetorical Question
Daniel Pittman
daniel at rimspace.net
Sun Oct 17 09:00:36 UTC 2010
Rich Shepard <rshepard at appl-ecosys.com> writes:
> As I view the mail log each morning I'm struck how many rejected spams come
> from a single IP address in Argentina, Brazil, China, Vietnam, Korea, and
> similar countries. I'm seeing up to 5,000 attempts from a single IP address,
> all rejected by UCE control rules checked by postfix. This is obviously spam
> and I wonder why it's not cut off by the hosting ISP using automated
> tools. What a waste of bandwidth!
Outbound bandwidth use can reduce the cost for the ISP, FWIW.
> Were I naive I'd think it's because such tools are not available. But, I'm
> confident that such monitoring tools are available, but the ISPs just don't
> care.
...it could be. It could also be that this is the compromised system of a
client who legitimately sent large volumes of email, or any number of other
scenarios where it isn't so trivial to deal with.
> I'm equally confident that I'm not the only recipient address on these
> attempts.
>
> Does anyone know whether responsible ISPs watch for such volumn from a
> single IP address and throttle it when it passes a low threshold?
Generally not, although responsible ISPs do operate a functional abuse@
address, and do monitor for blacklisting of systems under their control.
They often also monitor content to identify infested machines, or deliberate
abuse, and factor things like connection attempts into the mix.
(Also, you better define "low threshold" well here: we recently did a
corporate survey that had us sending ~ 6K invitations to their single inbound
MX, throttled to 500 a minute at their request, and we are a relatively low
volume sender in the big scheme of things.)
Regards,
Daniel
--
✣ Daniel Pittman ✉ daniel at rimspace.net ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
More information about the PLUG-talk
mailing list