Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
The Internet Spam IT Your Rights Online

Recovering the Slums of the Internet? 218

turtleshadow writes "Brian Krebs of the Security Fix Blog analyzes the McColo Spamming one year later and asks an interesting question: 'How does one renovate and recoup the lost trust to the slums of the Internet and reclaim back all the domains and IPs that have been blacklisted?' Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases — but given the basic design of the Internet, what happens over the long run to IP space and DNS when hosting companies come and go and vary in their trustworthiness? So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories. How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum? When do you, if ever, roll back the blacklists and filters for 'dead' threats and spammers?"
This discussion has been archived. No new comments can be posted.

Recovering the Slums of the Internet?

Comments Filter:
  • Solution (Score:2, Informative)

    IPv6!
    • Re: (Score:2, Interesting)

      by Tubal-Cain ( 1289912 )
      That will prevent us from running out of unblocked IP addresses, but it does nothing to aviod being bitten by filtering rules based on a previously bad domain name (like geocities.com).
      • Re:Solution (Score:5, Funny)

        by stephanruby ( 542433 ) on Thursday November 12, 2009 @06:21PM (#30081102)

        Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.

        Frankly, I think that there are more pressing problems to think about.

        • Re: (Score:3, Funny)

          by Anonymous Coward

          Simple. Do not call your web site goatse, or geocities. If someone registers that domain name, because he's too young to remember, or whatever... He'll figure out pretty quickly that things don't work for him, so he'll pick a different domain name, like goatsrus, geotowns, geomegacities, or whatever.

          I'm going to start a free hosting service for shock sites called Goatsecities...

        • And God knows we can't even consider solving a problem properly when more pressing problems exist.

        • Re: (Score:2, Funny)

          by AndroidCat ( 229562 )
          And never try to use any domain that has doubleclick as part of the name. Only a fool or someone intent on evil would do that.
      • I don't understand why geocities old IP addresses would be a bad location? Why was geocities.com filtered?

  • by Anonymous Coward

    OMG WTF PONNIES!!!

  • did not Godaddy get its start registering pr0n sites?
  • What slums? (Score:3, Funny)

    by Dunbal ( 464142 ) on Thursday November 12, 2009 @06:02PM (#30080852)

    I thought they'd switched off geocities already?

    • Re: (Score:3, Informative)

      by Tubal-Cain ( 1289912 )
      Yes, but if someone tries to create a new Biosphere and call the project "GeoCity", a website about the project will find itself needlessly blocked by filter rules set years ago and were never removed.
      • Re: (Score:3, Funny)

        by Arancaytar ( 966377 )

        What filter rules? I mean, okay, that light on dark text and background midi and blinking marquees were annoying, but still, you could just not visit...

      • by socsoc ( 1116769 )
        Yep, cause the last Biosphere project worked out so well with their pseudo-science...
      • Re: (Score:3, Funny)

        Yes, but if someone tries to create a new Biosphere and call the project "GeoCity", a website about the project will find itself needlessly blocked by filter rules set years ago and were never removed.

        Well, it still wouldn't hurt their reputation as badly as if they'd called it Bio-Dome [imdb.com].

  • Easy solution: (Score:3, Informative)

    by eln ( 21727 ) on Thursday November 12, 2009 @06:05PM (#30080876)
    Stop relying on blacklists as your primarily (or only!) filtering mechanism. There are far more sophisticated filtering solutions out there these days. Filtering based solely on blacklists is antiquated, ineffective, and vulnerable to massive issues with false positives. If you only use blacklisting as a very small part of your overall filter scoring, you won't have problems when the IPs in question get turned over to non-spammers. Sure, they'll still end up with a non-zero "spam" score, but not a high enough one to be blocked.

    And, of course, you should regularly be looking at your entire setup, including filtering, on a regular basis to make sure the solution you have is still the best one for your situation. Technology, and the Internet, changes too rapidly to take a "set and forget" attitude toward anything, especially filtering.
    • Stop relying on blacklists as your primarily (or only!) filtering mechanism

      The people with the problem (the new owners of the IP address space) are not the people who can make the problem go away by your suggestion. Yes, it might be nice if everyone did make this change, but it is also highly unlikely.

      I have seen even worse use of blacklists -- for example I came across one company that was rejecting email if a blacklist was matched anyhere in the "Received" lines, and their set of blacklists included

      • What if our operating systems were more secure, or if virtualization became universally used? Wouldn't that make it less necessary to use blacklists? I mean, if there's no danger from malware, then I don't have to worry so much if I open an attachment from an email that looks like it's coming from a friend. Worst thing it can do is blow up my virtual machine and I can just close a window and keep on going. It would also make hackers look for other ways to do evil besides attacking our desktops.

        Is virtua

        • Re: (Score:3, Interesting)

          by genner ( 694963 )

          What if our operating systems were more secure, or if virtualization became universally used? Wouldn't that make it less necessary to use blacklists? I mean, if there's no danger from malware, then I don't have to worry so much if I open an attachment from an email that looks like it's coming from a friend. Worst thing it can do is blow up my virtual machine and I can just close a window and keep on going. It would also make hackers look for other ways to do evil besides attacking our desktops.

          Is virtualization as secure as I think it is? I admit I don't know a lot about internet security beyond just being careful and using protection, so I'd like to hear what those of you who have expertise think.

          It's not a about viruses it's the shear volume of spam hitting mail servers that makes blacklisting necessary.
          If you remove it your essentially allowing yourself to be DOS'd.

          • Re: (Score:2, Funny)

            not my fault you have small pipes.

            aEN
            • Well I'm happy to hear that you are so filthy rich that you do not care about paying for extra bandwidth just to receive other people's junk.

            • It even doesn't have much to do with data bandwidth.

              It has to do with human processing ability.

              If you don't filter the spam out, then you'll miss quite a lot of legitimate e-mails, and may not even check your e-mail at all.

          • It's not a about viruses it's the shear volume of spam hitting mail servers that makes blacklisting necessary.

            Makes sense. Thanks for the explanation.

            I saw "hackers" mentioned above and I thought the problem with the large number of blacklisted IPs was malware.

          • Greylisting takes out 90% of the spam for me.

            And if there are false positives in that, then it's time for the sender to properly set up their e-mail system. Greylisting is based on senders having proper mailers. A single retry after a few minutes and you're through. It's just that spammers' fire-and-forget mailers do not retry.

            And after that it's SpamAssassin looking at the rest, using a.o. various RBLs.

            I wouldn't consider using any RBL as fully authoritative though, like blocking on SMTP level based on

            • I considered using greylisting but the number one issue with greylisting for me is that it turns email from "arrives in 3 to 30 seconds" to "arrives in 3 seconds to 6 hours". Also, most greylisting setups I've had to deal with were kind of, for lack of a better description, wonky and paranoid ("You're not on our Good Guys(tm) list? REJECTED!"). I suppose greylisting is better than the horribly broken approach of rejecting incoming mail where reverse lookup doesn't match (e.g. email from somecompany.com whic

              • The delay is only for new senders and admittedly can be irritating if you're waiting for a web sign-up reply or so (but then you could just use mailinator for that). It saves so much spam processing that I consider it a very good trade-off.

                For anyone e-mailing me more than once every three months or so (as in all regular contacts) there is no extra delay.

                • You're assuming that everyone doing greylisting is doing it "properly" and even then it's an inconvenience.

                  /Mikael

    • Stop relying on blacklists as your primarily (or only!) filtering mechanism. There are far more sophisticated filtering solutions out there these days. Filtering based solely on blacklists is antiquated, ineffective, and vulnerable to massive issues with false positives.

      Avoiding a primary reliance on blacklists is generally good advice, but let's not overstate things.

      In a SOHO environment, for example, it could be considered perfectly acceptable, and offers a surprisingly effective and simple setup with non

      • by socsoc ( 1116769 )
        Why doesn't grey listing work? Many people that I regularly correspond with have grey listing setup and aside from the annoyances in my MTA logs, it works fine. A legit e-mail server will try again later.
    • Re: (Score:3, Interesting)

      by EdIII ( 1114411 ) *

      You didn't provide him a solution at all. Not really. Don't get me wrong, you are entirely correct in your advice.

      However, how are you supposed to get that advice to , or even communicate reliably, with stubborn and/or stupid mail server admins? The problem most often is on the *other* side.

      The mail server admins at Craigslist.org deserve to be shot (they really do, at least with rubber bullets). I have run into problems getting email to a mail server in which I am apparently blocked by five-ten-sg.com.

      • However, how are you supposed to get that advice to , or even communicate reliably, with stubborn and/or stupid mail server admins? The problem most often is on the *other* side.

        Indeed, I once had an issue with a Turkish ISP (forgot the name of them) that had some seriously misconfigured mail server that kept throwing a lot of traffic my way (thousands of junk bounces per day for several days while one of my domains (that has a proper SPF record setup btw) was getting joe-jobbed), I tried contacting them, explained the issue and in what way their server was misbehaving and got a reply back that could be summed up as "Why should we listen to you? You're just some spammer trying to m

  • by DeadDecoy ( 877617 ) on Thursday November 12, 2009 @06:06PM (#30080902)
    You don't. The Internet never forgets, never forgives.
  • I think I've gone aphasic. The summary/quote didn't make an ounce of sense to me.
    • Yeah, no joke.

      Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices

      Even for Slashdot, that's a lot of slashes. I sprained my Wernicke's Area [wikipedia.org] trying to parse that.

  • Usually never (Score:4, Insightful)

    by Todd Knarr ( 15451 ) on Thursday November 12, 2009 @06:08PM (#30080916) Homepage

    When do I clean addresses and domains out of my filters? Usually never. It's just too much trouble to keep tabs on all of them and actively look for them being cleaned up. Once they're in the filters, there they stay until something happens to make me take a look at them. Usually that something'll be someone I know getting caught by the e-mail filters and contacting me out-of-band to find out why I'm not responding to their mail. Or it might be me trying to go to a site I added to the filters ages ago and being blocked when I know it should be clean now, and I go and find it and remove it. But generally, unless something like that motivates me, I've got better things to do with my time than keeping track of all the bad guys I've run across over the years and whether they've mended their ways or not.

    • Surely you reject mail at SMTP time, allowing the sending server to notify the sender that the mail didn't get through, right?

      • SMTP protocol? Hello, why am I wasting my CPU cycles and bandwidth on reading and rejecting a spammer's SMTP exchange? Their IP ranges go into my firewall and their packets get dropped long before they get anywhere near the SMTP server. If they get through that and get caught by the SMTP server's checks then yes they'll get an appropriate error code back, but that's a last-ditch check because Rule #1: you can't trust anything a spammer sends you, this includes their HELO/EHLO command.

        • by XanC ( 644172 )

          So why are people's emails going into a blackhole, rather than them getting a bounce from their server?

          Or maybe I misread your original sentence about people contacting you out-of-band; I interpreted that to mean they had no clue why you weren't answering, but it could easily be as a result of an undeliverable notification. My bad.

          • If he firewalls, they will get a "message undeliverable" from their own mailserver, since it can't connect to his mailserver to hand the message off. The message won't dissappear from their local mail queue just because he's bit-bucketing the packets that are trying to establish connection.

    • by schon ( 31600 )

      Like you, I blacklist at my firewall... I also send reports to the block's owner... unlike you (apparently :) I go through my blacklist every few months, and if there haven't been any hits from that block, I'll remove it. I figure that will prevent the list from eventually becoming 0.0.0.0/0. :)

      • by socsoc ( 1116769 )
        Postini does a great job for me and is mainly hands off. My work domains get a lot of dictionary spam and once I switched from an in-house solution it's gone dramatically down. My time is better spent elsewhere, to hell with the blacklists and spam filtering software that I used to maintain.
  • Where are the cops? (Score:3, Interesting)

    by NoYob ( 1630681 ) on Thursday November 12, 2009 @06:09PM (#30080932)

    In addition, at least one fraud expert who works with a number of big name retailers said online retail fraud rates fell from around $250,000 per day to zero for a short time following McColo's takedow

    Why aren't the cops there getting customers lists from McColo and going after the fraudsters?

    As far as the toxic waste is concerned, have the Government take those toxic address and have the Government turn their current addresses back into the pool. That will detox those addresses quick.

    • Re: (Score:2, Interesting)

      by ShaunC ( 203807 )

      Why aren't the cops there getting customers lists from McColo and going after the fraudsters?

      In the case of McColo (and RBN), many of the fraudsters probably are cops, or at least have cops on the payroll.

    • by Dunbal ( 464142 ) on Thursday November 12, 2009 @06:21PM (#30081090)

      Why aren't the cops there getting customers lists from McColo and going after the fraudsters?

            Because the police are far too busy going after the real [lockergnome.com] criminals [cnn.com] to waste time with legitimate fraudsters.

    • Re: (Score:3, Interesting)

      by screeble ( 664005 )

      You know... That's a really good idea.

      Signed IP swapping somehow... Reverify those IP addresses as valid.

      It would only require transferring them to a host processing site.

      Then, they could be removed from block lists and be reallocated.

      It would be a fuck load of record updates, though.

  • Easy (Score:4, Interesting)

    by Jazz-Masta ( 240659 ) on Thursday November 12, 2009 @06:10PM (#30080966)

    Before you order a co-lo, agree that it has to pass certain checks, such as a blacklist check.

    http://www.mxtoolbox.com/blacklists.aspx

    As for decreasing IP space, IPv6 (real or tunneling) is available at most large co-lo places, so that won't be a problem.

  • by Tackhead ( 54550 ) on Thursday November 12, 2009 @06:12PM (#30080984)

    How, in a few years, will I tell if some Hosting/Colo sold me Whitechapel Road/Ventura Avenue for Mayfair/Boardwalk prices, and no one is going to accept my mail from a former slum?

    As the purchaser, you probably can't. But what you can do is demand that your provider move you to a better IP neighborhood, or renegotiate (read: "tear up") the contract.

    Blocklists aren't about playing whack-a-mole with spammers, they're about disincentivizing spam-friendly providers.

    If you're an ISP or hosting provider, and you harbor spammers and botnets, the IP ranges you hold are permanently devalued. That means it's harder for you to get customers, more expensive to support your legitimate customers, and your business, when you decide to sell it, is worth less than if you'd booted the goddamn spammers off your network when you had the chance.

    Car Analogy: If you're doing your own oil changes, and instead of hauling the waste oil to a recycler, you dump it into your backyard, don't complain when you try and sell your house and the highest bid still leaves you $100,000 underwater on your mortgage, or requires you to spend $150,000 remediating it. Your property is worth less than it could have been, had you only been a better steward of it.

    • The word is "incite".

      • It is irritating to see the birth of yet another corporate-speak word. Unfortunately I don't think incite is going to ever be a good replacement. Incite has the strong connotation of encouraging someone to do something bad instead of something good.

        Unfortunately, given its origins, "incentivize" is likely to acquire the same connotation over time.

  • by bmo ( 77928 ) on Thursday November 12, 2009 @06:21PM (#30081100)

    ...because 90 percent of everything is crap.

    > So too, now Geocities is dead [as a business], but does that still live in your filter list? It still appears in OpenDNS under several policy categories.

    If you filter via OpenDNS, then you get what you deserve.

    If you've done *any* metamoderating of OpenDNS website classifications, you will soon decide that poo flinging chimpanzees are more accurate.

    I came, I saw, I ran away screaming.

    --
    BMO

  • 4chan (Score:5, Insightful)

    by meow27 ( 1526173 ) on Thursday November 12, 2009 @06:29PM (#30081180)
    isnt THAT the slum of the internet?
    • Re: (Score:3, Funny)

      by Fry-kun ( 619632 )

      /b/ is the fist thing that came to my mind as well

    • Re:4chan (Score:4, Insightful)

      by petrus4 ( 213815 ) on Thursday November 12, 2009 @07:35PM (#30081866) Homepage Journal

      Mod parent +5,000, Insightful.

      Seriously; if maintaining your level of faith in the compassion, empathy, and fundamental decency of the human species is something you care about, don't ever visit 4chan.

      That site is very little more than a showcase of the very worst, morally, psychologically, and emotionally, that humanity is capable of.

      • Re:4chan (Score:5, Funny)

        by foo1752 ( 555890 ) on Thursday November 12, 2009 @08:29PM (#30082310) Homepage

        Mod parent +5,000, Insightful.

        You missed your chance, dude. You should have said: Mod parent over 9000, Insightful.

      • That site is very little more than a showcase of the very worst, morally, psychologically, and emotionally, that humanity is capable of.

        Which is why /b/ tends to provide great entertainment. It is always impressive to see how low people can go for their 15 seconds of "fame".

  • 1 year (Score:5, Insightful)

    by scorp1us ( 235526 ) on Thursday November 12, 2009 @06:30PM (#30081198) Journal

    Everything should expire after a year.

    I also would suggest this in government. That all laws get renewed to automatically expire after 10 years. That way we can keep the law makers busy keeping the good laws while letting the old ones die, as well as keeping them from making crappy new ones that won't survive a 10 year renewal.

    • Exactly!! (Score:2, Insightful)

      by XanC ( 644172 )

      They're desperate to show that they're doing something. Make it so they have to do something to maintain the status quo and everybody's happy.

    • Re: (Score:3, Insightful)

      by zippthorne ( 748122 )

      Agreed. Also, all laws must be read into the record. That'll put an upper bound on the sheer magnitude of legislation and guaranteed that the aforementioned laws have been read at least once.

      • Re:1 year (Score:4, Insightful)

        by QuoteMstr ( 55051 ) <dan.colascione@gmail.com> on Thursday November 12, 2009 @08:42PM (#30082400)

        Reading every law? What about the building code? What about trade duty schedules? What about the tax law (a lot of the complexity of which is actually necessary)? I'm sure you can find many more examples [cornell.edu]. It's as if you're asking for every computer program to be dictated by telephone. Your request reflects a very naive view, namely that complex societies like ours can be governed by simple laws.

        If we actually tried what you suggest, what we'd see is simple legislation. Because these laws would have simple, they couldn't address subtleties and special cases, and as a result, these laws would cause a lot of injustice. Is this the world you'd really like to live in?

        I never understood how people like you can see all law as universally bad, and how you actually hope for a "gridlock". Bad government is bad, yes, but good government is also good. You'd argue that all government is bad government, but if you look around, any reasonable person will see that argument is nonsense. Only ideologues maintain that government is always the problem.

        • Hogwash: Building codes are regulatory, just like FCC and FAA rules, or public utilities commission rules. The only laws involved are usually rather simple and to the point in delegating the authority to an administrative agency generally controlled by the executive branch of the appropriate government.

          As far as tax law, it's only necessary to not have a graduated flat tax (e.g. taxed on what you earn above minimum was times 2080 hours + $1) if you are intent on hiding your legislative cronyism, malfeasanc

          • Also, I remember a debate from my college days when it was suggested that the best form of government was in fact a benevolent dictatorship. No thank you.

            Of course the best form of government is benevolent dictatorship. The only problem is that benevolent dictatorships tend not to stay benevolent, especially when authority is passed down to the dictator's heirs.

        • However, in a jury system, if juries are given power to interpret the laws, then you get interesting consequences.

          Intentionally vague laws can be abused, yes, but they're also flexible in the other direction.

        • by tjstork ( 137384 )

          You'd argue that all government is bad government, but if you look around, any reasonable person will see that argument is nonsense. Only ideologues maintain that government is always the problem.

          Has the thought ever occurred to you that some of us may see the expansion of government as evidence of a decline in society? It's like public schools in inner cities. Why are the expensive? It's because they are the only institution with money and so everyone hangs their hat on them. You can either underfund th

    • Everything should expire after a year.

      I also would suggest this in government. That all laws get renewed to automatically expire after 10 years. That way we can keep the law makers busy keeping the good laws while letting the old ones die, as well as keeping them from making crappy new ones that won't survive a 10 year renewal.

      I used to think that would be a good idea, but then I realised politicians would be involved. Think of the pressure that could be put on a weak government if the opposition felt that their new bill had to be passed before they would support renewing the law against tax evasion. The opposition wouldn't lose the support that they would if they tried it with laws against murder etc, but it would cripple the government.

  • Indeed, the economic benefits abound when a huge swath of illegal and annoying activity ceases

    Translated from corporatocracy-ese to english:

    "once we've quashed the disruptive technological utopia people created on the web, the economic opportunity to carve it up and sell it back to only those who can pay abounds!"

  • I always wondered how Downbelow really could really happen in an enlightened, spacefaring society.

    See - http://en.wikipedia.org/wiki/Babylon_5_(space_station) [wikipedia.org]

    Substitute "IP slums" for "Downbelow" and "information-based" for "spacefaring."

    See - http://en.wikipedia.org/wiki/Geocities#Neighborhoods [wikipedia.org]

    • I think they explained that pretty well in the series, and even discussed the social conditions that lead to it.

      1) Lots of people on speculative journeys (think gold-rush mentality) that had a tough time and can't afford the return trip home.
      2) Refugees from war, political and religious persecution, etc.

      Throw in some compassion on the administration's part (eg, not just going to throw them out an airlock), but not full-fledged socialism, and voila, a slum.

      • I acknowledge the explanation - and truly appreciate your clarification of it.

        I've always seen slums as something that holds over from the past, and couldn't really understand how they got them in a new space station. It was a bias on my part.

        But seeing it occur in fairly new tech (per this article / thread), kinda opened the door for me to begin to accept how that worked.

  • How about you don't accept the IP addresses of the slums and ask your provider for clean ones?
  • Aside from calling the IP allocations formerly used by criminals "slums", this is actually a very important question. All of McColo's space is still in my edge routers as "drop". I only checked because of the connection with this story. Does it make sense to drop those blocks now? I'm not entirely sure, and since no one is complaining (as yet), why WOULD I remove them?

    Should we look to some authority to publish a list, something like the SpamHaus DROP list?
    Should we start looking to ICANN to more strongly e

  • My situation (Score:5, Interesting)

    by i_ate_god ( 899684 ) on Thursday November 12, 2009 @09:09PM (#30082574)

    When I setup my first postfix daemon, I failed. Took my days. One day, it seemed like it was working, but wasn't accepting username and password logins. I went to bed, didn't stop postfix.

    The next day I get an email from my colo asking why some of my IPs are being blacklisted. The colo apparently got notified that two of my IP addresses are spammers. I looked at my logs and sure enough, I stupidly let postfix run as an open smtp server and some guy started using it to send out spam.

    So I stopped that, but now what? Yahoo won't accept my emails. Craigslist won't accept my emails. Hotmail moves them into the junk folder. Yahoo had the best help.

    http://help.yahoo.com/l/us/yahoo/mail/postmaster/errors/;_ylt=ArX8PxnGVabUYKQmtOrSQN5vMiV4 [yahoo.com]

    So the error message I was getting from Yahoo was related to spamhaus. I stopped postfix, finally got it up and running properly with authentication, and sent an email to the SBL list guys ( http://www.spamhaus.org/sbl/delistingprocedure.html [spamhaus.org] ) and got delisted pretty quickly.

    Sending emails to Yahoo now worked fine. Other places were slower to realize that I was not a spammer, but all in all, it took about 6 months for the dust to settle, and a few more emails to various places to say "hey! I am not a spammer!".

    For a major business, this can be a problem, but these lists aren't private. When doing research on where to create your new home on the internet, checking to see if they are blacklisted anywhere first would be a prudent thing to do.

  • A heavily blocklisted network quickly becomes unattractive to legitimate businesses

    Is that like a blacklisted net? Can someone spam them an editor please?

    • Re: (Score:2, Insightful)

      by gujo-odori ( 473191 )

      Among antispam industry professionals (yes, I am one) the term blocklist appears to be slowly displacing blacklist as the term of choice.

  • Wait a few years. In five years or so, those addresses will have scrolled off blacklists. It's not a big deal.

  • by badger.foo ( 447981 ) <peter@bsdly.net> on Friday November 13, 2009 @03:02AM (#30084420) Homepage
    The problem here seems to be badly maintained blacklists. After seeing way too many false positives on various blacklists out there, the only lists I would use are ones that expire their entries in a matter of days or hours. The good ones that I use are uatraps [openbsd.org] (greytrapping generated, 24 hour expiry) and nixspam [heise.de] (IIRC max 4 days after last seen spam activity). Then of course I maintain my own greytrap list (see the traplist homepage [bsdly.net] and the traplist ethics page [bsdly.net]for details).

    The point is, you need to expire entries aggressively. Keeping entries around because somebody received a spam from somewhere in that general direction four years ago is just silly. And don't get me started on blacklisting domains. If there is one thing we know with almost total certainty, it is that spammers never use From: or Reply-to: addresses that have anything vaguely to do with the real senders.

Parts that positively cannot be assembled in improper order will be.

Working...