Open relay spam is nowhere near as popular as it once was. We don’t currently block open relays on our main customer mail machines, but it’s mostly
We do try our best to block open HTTP proxies and trojanned Windows machines; this is a somewhat difficult task for many reasons:
Spammers like to rotate proxies, meaning that some end up staying “under the radar”, so to speak.
In cases where compromised Windows boxes are being used, the spammers usually have fresh ones available.
There are a LOT of these machines. Maintaining an accurate list of them is very difficult. Also, detecting this sort of activity often requires invasive port scanning and other intrusive testing, which many organizations and ISPs don’t like. In general, most proxy lists tend to only scan hosts which have connected to a mail server affiliated with the blocklist maintainer in some way - this way they can say “you sent us mail; so we have the right to scan you for security holes”.
Blocking dynamically assigned IP space would probably help, but isn’t really an option for us at this time (too much risk of blocking legitimate mail).
We do use a few DNS blocklists that attempt to block this sort of abuse - cbl.abuseat.org (which is very effective), proxies.blackholes.easynet.nl (which is, unfortunately, stopping operation at the beginning of December). It’s going to be difficult to find a good replacement.
I know it’s hard to believe (considering how much makes it through), but I’d guess we actually do block aproximately 35-45% of incoming mail due to UBE restrictions, and that’s with very conservative blocks in place.
If someone reminds me, I’ll try to post a graph of incoming mail volume vs. rejected mail this week (unfortunately, our graphs don’t show which rejections are due to unknown user errors and other stuff like that, and which ones are due to UBE controls).
Oh yeah - and happy Thanksgiving, folks. I’d better get cooking soon.
 Not sure if most people are familiar with open proxies, as well as the recent rash of viruses that create proxies designed specifically for spammers to use, but here are some of the reasons open proxies are bad and the reasons we try to block them:
Unsecured (“open”) HTTP CONNECT proxies are misconfigured web proxies (squid, socks, etc.) which can be used to open an arbitrary tcp connection (including an SMTP connection) to an outside host - without the source IP address being disclosed. Even with open relay spam, you can see the original point of origin, assuming it’s not an open proxy -> open relay spam. So these proxies open up all sorts of problems (not just spam related), since people can use proxies to make an anonymous connection from anywhere to anywhere. Since most proxy operators are unaware that they’re operating an unsecured proxy, it’s rare for one to find logs of proxy abusers’ actual IPs (although some people have done some interesting “honeypot” work in this area).
Sort of related to #1 - proxies allow spammers to insert forged headers, causing misdirected complaints, fooling spam tracking and / or identification services, and confusing recipients.
For example, I got a complaint about the following message yesterday:
Received: from source ([22.214.171.124]) by exprod5mx95.postini.com ([126.96.36.199]) with SMTP;
Wed, 26 Nov 2003 13:09:08 PST
Received: from [188.8.131.52] by pcp699323pcs.hyatsv01.md.comcast.net id <5321649-56884>; Thu, 27
Nov 2003 01:02:44 +0400
Now 184.108.40.206 is one of our IPs (one which isn’t currently assigned to anything). This received line is completely forged, though. The actual origin is the 220.127.116.11 IP.
For more information on proxy abuse, check out: