An interesting experience with IP-based SMTP blocks
As I've mentioned before, I still run a mailer on my office workstation. Since it gets almost no real email any more, I've become more and more aggressive about using kernel level IP-based blocks on my SMTP port and applying them to relatively large network areas when other bits of my anti-spam heuristics detect something they don't like from an IP address in the area (this follows a familiar pattern). I also reboot my workstation relatively frequently (Fedora releases a lot of kernel updates) and when I do this, all of the current blocks are re-established from scratch. This gives me an interesting way to assess how active various sources are; I can simply look at who bubbles up to the top of the packets-blocked counts.
Before I started paying attention to this recently, I expected the result to be roughly correlated with the size of the network area I was blocking. This may be generally true, but there are some sources that stand out as unusually active. In particular one source has been on top of my most packets dropped lists for quite a while now, and with remarkable consistency; I can reboot my machine and they show up to bang on the door again almost immediately.
(This is not a good sign for various reasons.)
So today I would like to give, well, something to 18.104.22.168/20, a netblock assigned to one 'Emailvision'. According to their website, they are an 'Email & Social Marketing' firm; I have not looked for details, because there is a limit to how much I am willing to read from the website of anyone who calls themselves that. This is especially the case when the entire reason I know about them is that I have received unsolicited email from their address range.
On somewhat further investigation, it looks as if they are some sort of mailing list management firm that people use to send out bulk email of all sorts. Bulk email being bulk email, they attract spammers. Service providers being service providers, not taking these people's money (or noticing when they clearly have dirty lists) is unprofitable.
And so they remain the top source of rejected packets sent to my machine's SMTP port, as they have been for some time. I don't expect this to change any time soon.
(They do seem to send a certain amount of email to our regular mail system, from a variety of origin domains. On a casual inspection, our spam filtering system doesn't seem to consider it spam, which is what I would sort of expect in this situation.)