On Fri, 24 Jun 2005, Doug Royer wrote: > > Of the two of us, you would NOT HAVE A CLUE about if I can or > can not read and understand my own logs :-) I'm not saying you can't read logs. I'm saying there aren't any reliable automated methods of determining whether a message came from an open relay. So you are assuming too much about the meaning of your log entries. That it came from a machine on an "open relay" blacklist, doesn't mean it came from an open relay. > I am sure that those 22,000+ spams were blocked by the DNS > list that "says" its an open relay list by SORBS and the other one. I've no doubt they did. But the blacklists' word doesn't mean anything for several reasons. And furthermore, even by their own definition of what's in their blacklist, it doesn't mean that. You are misquoting them. They indicate that their blacklist also contains open proxies. > > Note that 235.245.195.212 is not allocated. This is a forged header. > > 66.59.238.35 isn't running an open relay. Indeed, I could not find a > > single open relay spam in a sample of 15 of the 605 spams I've received in > > the last 24 hours. But I did find forged headers pretending to be open > > relay. Though that is also becoming the exception. Much spam doesn't even > > bother with forged headers. > > I do NOT rely on ANY information from the content of SPAM to tell me > anything. I use the getpeername() OS call to get the IP of the remote > sending system - live as they send it. The rest of this, I won't address. Its basically circular, since you are subscribing to a list known to promote abuse open relays; You probably get more open relay abuse as a result. This makes them appear more effective, and thus more valuable. My only point is that by the indicator of hand analysis of recieved ppam, and by the indicator of actual abuse of open relays, open relay abuse has dropped off to nearly nothing since Fall of 2003. So it seems interesting that you are still getting a lot of open relay abuse, and that open relay abuse accounts for 90% of your spam. This does not seem credible as a general statement. I'm not saying you are lying, but only that your experience isn't generally experienced by others. > At this point, I'll take this off the ietf list > and we can continue this between ourselves. You'll have to quit using SORBS, if you want off-list email from me. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf