There are two main organizations that I know must be dishing a thousands or millions of spam a day out to the school community. I have been watching the constant spam spewing from a few sources over the last couple of years and I have finally starting to look at some patterns to alleviate at least some of the junk our teachers are getting specifically from these junk engines. The two organizations I see as massive senders of edu-junk are Mindstreams / Lifetime Learning and Edupartners. I am sure there are many others out there you might be dealing with, but these two sources are prolific in the volume they spew daily.
Both Mindstreams / Lifetime Learning and Edupartners do put unsubscribe links on their junk, but the way they acquire the addresses would mean every single member of your faculty and staff would need to individually unsubscribe. This is not something any of us what to deal with so if you can, it is worth just getting some simple rules in at the server-side to inhibit this as much as possible. They seem to be immune to RBLs for some reason, so you will have to go it alone.
Here are some examples of the kind of junk they have servers pump to the school community.
Except they pump thousands of these out and insert teacher names from the database, etc. This is nothing different than other spammers out there do daily either, but the difference here is a real volume increase and targeted audience for people that work in schools. They use multiple servers, outside spam vendors and tools like Silverpop Engage and probably a lot of other tools we don’t even know about. I finally had to do something on this.
If you want to inhibit this as well, here are a few items that have worked.
Block the entire routable IPs that Lifetime Learning / Mindstreams owns.
They have servers across their Class C ranges that do nothing but send and send. I have currently seen and blocked a couple of their ranges from even being able to send email to our networks. Here are the ranges I have seen and blocked outright because I have seen in the logs spam attacks across the entire ranges.
Just block it from even connecting to your network at all or at least at port 25 for SMTP. They are not (yet) doing SSL on port 465.
Here is a log showing a quick round from the second class c trying to send to us.
Anything from 188.8.131.52 is bad news.
This is a Silverpop-owned IP address. The whole block can probably be blocked, but I have consistently seen 184.108.40.206 do nothing but spam.
Here is there WHOIS lookup (as of 11/04/11)
# “n 220.127.116.11”
NetRange: 18.104.22.168 – 22.214.171.124
NetType: Direct Assignment
OrgName: Silverpop Systems Inc.
Address: 200 Galleria Pkwy
Address: Ste 750
OrgTechName: Network Operations
OrgAbuseName: Abuse Handler
OrgNOCName: Network Operations
RTechName: Network Operations
RAbuseName: Abuse Handler
RNOCName: Network Operations
Setup rules on your email server
Provided you still run your own email now that most schools seem to be going the Google Apps route while it is currently no charge.) I have a few rules that pick-off the current batches of junk from the Edu-Junk companies.
1. Anything received/sent from or has text string matching mkt5354.com
2. Anything received/sent from or has text string matching edupartners.com
3. Anything that gets a received from text string that has PowerMTA in it. This is a junk email sender they (and many others use constantly.
4. Block 126.96.36.199 outright as well. Crazy how much spam that IP is trying to send on behalf of edupartners.com.
I will continue to update as I can when new patterns emerge. Hope this helps.