Many, many spamming IP addresses are hijacked hosts that are cleaned up eventually.
My mail servers IPs have been hijacked for spamming many times, probably about 3 or 4 times a month,
but as far as I know, they are generally cleaned up within a few hours, and usually the volume is restricted by message rate controls.
The biggest problem is We have no idea when it is happening, or if there are complaints, which messages are actually true spam,
and which messages are just "legitimate marketing" that look spammy.
Also, the RBLS have destroyed mutual cooperation between operators against spam.... we all just have our blacklists, and then we start
having equally huge whitelists that represent the hundreds of thousands of legitimate mail transactions that blacklists have incorrectly interfered with.
Nobody really sends detailed abuse complaints anymore or provide any data that could be meaningfully used for reliable spam content identification without false positives. They just put IP addresses straight to blacklist
. Heck, the abuse@ contact address and IP address space WHOIS abuse contacts get no messages at all from humans for the most part, except (ironically) marketing attempts, DMCA letters, and DoS amplification reports.
So the "eventually" part, is because noone's even bothering to lend a hand against the spammers.
Perhaps everyone is just overwhelmed and desensitized.
You'll just wake up after some sneaky spammer has been abusing your mail server starting at 4am, and after you find your IP with a bad reputation on a bunch of blocklists with not a single actionable abuse complaint. You will have most RBLs that tell you "their spam traps are secret," and you need to wait 3 days before requesting removal, so they won't even reveal what the spam message looked like, or enough information to identify the abuser on a multi-tenant mail server.
Then there are 'fascist' blacklists who decide, they want to blackmail you and force you to pay a fee for removal.
In a number of cases, we have referred those guys to our lawyers, to see if we can do anything about them.
Hopefully, law enforcement will eventually lay down the criminal charges against paid-removal blacklists for racketeering.
Then there are reputation services such as Cisco's which has no remediation or contact to resolve the listings at all, And they are highly secretive about how they even work.
Then there are RBLs that insist on blacklisting you for 48 hours, or 5 days, because some spammer managed to go to town for a few hours one night.....
Most often: it is some customer mailboxes whose password has been guessed by spammers who then proceed to abuse the account.
Or a mailbox on a customer mail server relaying off of ours.
It is not so easy to tell when it has happened, because there are plenty of customers running legitimate "newsletters" off their mailbox.
We limit each customer to an average rate of 1200 messages per day for some domains, and 250 messages per day for others,
but "legitimate" bulk mailers using their normal account to e-mail blast frequently hit the limits and complain about it,
Meanwhile, there are spammers who are relentless and send a trickle of messages just below the limits sometimes.
Then there are spammers who use IP addresses of non-mail servers such as workstations..... by co-opting random systems and running random malware that pretends to be a SMTP server, Or they install a local SMTP server and relay off of it.
The latter are frequently short-lived attacks. By the time anything is in a RBL: the spammer has already probably moved on to the next batch of IP addresses to disrupt.