Almost 100 percent of the spam that gets past SpamAssassin lately is hosted on an Eonix server. I’ve taken to temp-blocking the entire Class C’s in CSF, which of course works. I wonder how many legit senders I’m blocking in the process, but I’m starting to suspect none.
I only do this on the server hosting my own personally-owned sites, by the way; and I have my known senders whitelisted.
Typically the spam will come in bursts from IP’s in the same Class C, sometimes sequentially numbered. Temp-blocking the Class C from the mail ports surely works, but of course I don’t want to block legit senders. I’m just starting to wonder whether Eonix hosts any.
Today’s another one of those days. Spam being sent from sequential Eonix IP addresses in 220.127.116.11/24. I temp blocked the whole Class C from ports 25, 465, 587, and 2525 for 30 days this time. It’s not the first offense for this range.
I have CSF doing everything fail2ban would do, which isn’t much when it comes to spam. And SpamAssassin with a few custom tweaks does catch well over 95 percent of it. So it’s not like the end of the world.
I’m noticing that most of the spam comes from only a few Class C’s, however. I guess they have dedicated ranges for spammers.