Today’s report is about Linode, but of course this could be about many different providers, and is a reason why the ability to block emails based on the PTR records is important, and it is best when it can be done in the SMTP layer BEFORE you waste the overhead on processing it. Real email operators will (or are supposed to according to Best Practices) change the rDNS to reflect their company, eg mail.companyname.com, however hackers and script kiddies who load bulk email programs and hacks onto vulnerable servers usually can’t modify the rDNS itself, without triggering alerts, or breaking things, and usually the ability to change rDNS is locked down to the system administrator, or their upstream provider.
it could be addresses such as *.static.upstream.com, or it could be generic patterns like the recent outbreaks at SoftLayer, eg.
But in todays case it was the Linode network that was especially active.
18.104.22.168 8 li1099-153.members.linode.com
22.214.171.124 20 li1167-23.members.linode.com
126.96.36.199 7 li1168-114.members.linode.com
188.8.131.52 35 li1170-113.members.linode.com
184.108.40.206 8 li1187-171.members.linode.com
220.127.116.11 6 li1207-89.members.linode.com
18.104.22.168 21 li1227-228.members.linode.com
22.214.171.124 7 li1235-226.members.linode.com
126.96.36.199 8 li1253-47.members.linode.com
188.8.131.52 1 li1280-254.members.linode.com
184.108.40.206 39 li1427-62.members.linode.com
220.127.116.11 31 li819-6.members.linode.com
18.104.22.168 37 li868-15.members.linode.com
22.214.171.124 1 li870-190.members.linode.com
126.96.36.199 1 li1416-101.members.linode.com
188.8.131.52 36 li1423-90.members.linode.com
184.108.40.206 1 li1426-120.members.linode.com
220.127.116.11 35 li585-233.members.linode.com
18.104.22.168 1 li195-130.members.linode.com
The second number is the number of ISP’s that reported the problem.
This might be a PTR pattern that you want to treat as suspect, or choose to block on your email servers. Real email operators on the Linode network will of course have proper rDNS records, and shouldn’t be affected.